KR20200107931A - System and method for key generation and storage for multi-point authentication - Google Patents

Abstract

The present invention is a platform and/or agnostic authentication method and system operable to authenticate users, data, documents, devices and transactions. Embodiments of the present invention may be operable with any client system. The authentication method and system is operable to distribute a unique portion of anonymous login related information among multiple devices. This unique piece of device and anonymous login information is used by the solution to authenticate users, data, documents, devices and transactions. Login-related information is not stored in any part of the solution, and users and devices are authenticated anonymously. This solution allows users to access secure portions of the client system without revealing the user's key through a semi-automated process.

Description

System and method for key generation and storage for multi-point authentication

The present invention generally relates to the field of network or system authentication, and more particularly, to user authentication of a network and data exchanged with the user through a network or system.

All organizations must protect their data from potential security breaches. Organizations can only access systems through data security, through multiple technologies, to authorized persons. Therefore, data security and authenticated system access are one of the major challenges facing organizations today.

There are currently a number of systems and methods that affect the different types of authentication of system and network users. These different types of authentication have different levels of security and stability. The following are examples of prior art authentication method types for systems and networks.

U.S. Patent No. 6,962,530, issued to the IGT on November 8, 2005, discloses an architecture and method for a game-specific platform featuring secure storage and verification of game code and other data. This method also provides users with the ability to securely exchange data with a computerized betting game system. The present invention does not involve spreading login information among multiple devices.

U.S. Patent No. 9,053,306, issued to NEC Solution Innovators, Ltd. on June 9, 2015, initiates an authentication system that can calculate first and second hashing values from login information entered by a user. Are doing. If the first and second hashing values match each other, a session is established between the server and the terminal. The invention does not involve retaining some of the encrypted details.

US Patent No. 8,989,706 issued to Microsoft Corporation on March 24, 2015 discloses a system, method, and/or technology related to automatic secure pairing of devices in connection with parallel downloading of content using devices. A tool for pairing devices may perform an authentication protocol based on an address and a key. The invention does not involve retaining some of the encrypted details.

U.S. Patent No. 8,356,180, issued to Koninklijke Philips Electronics NV on January 15, 2013, describes multidimensional identification, authentication, authentication, and key distribution relationships for secure communication in a deep common security domain. Disclosing method for The present invention cannot authenticate a transaction unless the user discloses the user's key to the system.

US Patent No. 6,847,995, issued to United Devices, Inc. on August 25, 2000, discloses a security architecture and related method for providing secure transmission within a distributed processing system. The invention does not involve multi-layer encryption or maintaining some of the encrypted details.

U.S. Patent Application Publication No. 2017/0149796 filed by Yaron Gvili on November 23, 2016, discloses systems and technologies that allow third-party verifiers to verify aspects of secure data or to enable successful communication. . The invention does not involve multi-layer encryption or maintaining some of the encrypted details.

US Patent Application Publication No. 2011/0246779 filed on June 6, 2011 by Isamu Teranishi discloses a zero knowledge proof system that allows discrete log zero knowledge proof. The invention does not involve multi-layer encryption or maintaining some of the encrypted details.

Encryption methods and systems of the prior art are particularly susceptible to involvement of third parties in the transmission of data and information between users and users and systems or networks. If a third party has access to the data being transmitted, the login details can be estimated from that information. If all login information is available in the data transferred between the user and the system, a third party can log in to the system using the user's login information. Using a known authentication method and system poses a security risk to the current system.

There is a need for an authentication method and system that prevents obtaining user login information through third party interference with transmitted data.

In one aspect, the present invention relates to an authentication method and system operable to authenticate users, data, documents, devices and transactions. Embodiments of the present invention may be capable of operating in any system or network and are platform independent. The authentication method and system is operable to securely generate and distribute a unique portion of login related information among multiple devices. The paid portion of login related information is used by the system to authenticate users, data, documents, devices and transactions without revealing login related information to the system. This system protects login-related information during generation, transmission, storage and authentication. In another aspect, the present disclosure relates to authentication without revealing the key to the system.

In another aspect, the present disclosure is directed to a user authentication system and method comprising: a client system incorporating a secure portion; A user system operable to allow a user to access the client system and store portions of login information;

A verification system capable of transmitting and receiving information to and from the client system and the user system; And

It includes a synchronization system incorporating multiple synchronization elements in which a unique portion of login related information for a user can be transmitted in both directions with the verification system and is stored, accessed and used.

In yet another aspect, the present invention relates to a system and method for authenticating user interaction with a client system, comprising: a user device; Client system; A client display unit; And a client verification system; The user device, the client system, the client display unit and the client verification system are operable to allow the user to authenticate user interaction with the client system without revealing a user key for the system.

In this regard, before describing at least one embodiment of the present invention in detail, it should be understood that the present invention is not limited to being applied to the details of the configuration and configuration of components described in the following description or illustrated in the drawings. . The present invention is capable of other embodiments and can be implemented and carried out in various ways. In addition, it is to be understood that the phraseology and terminology used herein is for the purpose of description and should not be regarded as limiting.

The invention will be better understood, and the object of the invention will become apparent upon consideration of the following detailed description. This description refers to the accompanying drawings, where:
1 is a system diagram showing an embodiment of an authentication system of the present invention.
FIG. 2 is a system diagram showing a configuration of elements operable to transmit data between a client system and a verification system according to an embodiment of the present invention.
3 is a system diagram showing the configuration of elements operable to perform the registration process of the embodiment of the present invention.
4 is a system diagram showing the configuration of an element operable to perform an access process of an embodiment of the present invention.
5 is a system diagram illustrating a synchronization element operable to process a hashed OY-packet portion according to an embodiment of the present invention.
6 is a system diagram showing a configuration of an element operable to perform a decoding process according to an embodiment of the present invention.
7 is a system diagram showing elements of a user device according to an embodiment of the present invention.
8 is a system diagram showing elements of a client system according to an embodiment of the present invention.
9 is a system diagram illustrating components of a client display unit according to an embodiment of the present invention.
10 is a system diagram showing elements of a verification system according to an embodiment of the present invention.
11 is a system diagram illustrating the configuration of elements operable to perform processing of a user authentication request for accessing a secure portion(s) of a client system according to an embodiment of the present invention.
12 is a system diagram showing the configuration of elements operable to generate and process noise and keys for user authentication according to an embodiment of the present invention.
13 is a system diagram showing a configuration of an element operable to verify a key for user authentication according to an embodiment of the present invention.
14 is a system diagram showing the configuration of an element operable to verify a token for user authentication according to an embodiment of the present invention.
15 is a system diagram showing the configuration of an element operable to perform challenge verification through a client display system for user authentication according to an embodiment of the present invention.
16 is a system diagram showing a configuration of an element operable to perform challenge verification through a user device for user authentication according to an embodiment of the present invention.
17 shows a registration method according to an embodiment of the present invention.
18 illustrates a method of generating one or more keys according to an embodiment of the present invention.
19 shows a method of distributing one or more keys according to an embodiment of the present invention.
20 shows a login method according to an embodiment of the present invention.
21 shows a method of generating one or more keys according to an embodiment of the present invention.
22 illustrates a method of distributing one or more verification keys according to an embodiment of the present invention.
23 illustrates a method of verifying a verification key in a local database according to an embodiment of the present invention.
24 shows a method of verifying a verification process according to an embodiment of the present invention.
25 illustrates a method of generating one or more barcodes according to an embodiment of the present invention.
26 illustrates a method of generating one or more keys according to an embodiment of the present invention.
27 illustrates a method of generating one or more keys according to an embodiment of the present invention.
28 illustrates a method of generating one or more keys according to an embodiment of the present invention.
29 illustrates a method of establishing a web session according to an embodiment of the present invention.
In the drawings, embodiments of the invention are shown by way of example. It should be clearly understood that the description and drawings are for illustrative purposes only and are for better understanding, and are not intended to define the limitations of the present invention.

The present invention is an authentication method and system operable to authenticate users, data, documents, devices and transactions. Embodiments of the present invention may be operable with any system or network of any organization or individual. The authentication method and system is operable to distribute a unique portion of login related information among multiple devices. The paid portion of login related information is used by the system to authenticate users, data, documents, devices and transactions without disclosing login related information to the system. Login-related information is encrypted and/or hashed through multi-layer encryption and/or hashing, and some of the encrypted and/or hashed details are reserved. All devices storing login-related information will be used in the authentication method and system. Login related information provided to the user is not disclosed and/or stored on the system or user device. When authenticating data, documents, devices and transactions, there is no need to disclose keys to the system.

In the present specification, "client system" refers to a network or system of an organization or individual. In the present specification, reference to "user device" means that a user logs in to a client system using a device such as a laptop, tablet, mobile phone, smart phone, desktop computer, smart watch, or computing device. Can log in to the client system or any other device that requires secure login. Reference to “transfer of information” between a user and a client system may include generation, transfer or storage of information that occurs in connection with the system. For clarity, when referring to any device or element of an authentication system that “accesses” to another system or element, it may include one of the following: (i) Information by accessing another unit or element. A unit or element that obtains a; Or (ii) a unit or element that transmits a request for information to be retrieved or generated to another unit or element, and if such information is retrieved or generated in response to the request, such information will be transmitted to the unit or element that sent the request. I can.

When a user logs in to a client system using a user device, the generation, transmission, storage, or authentication of login-related information between the user device and the client system may be vulnerable to a third party attack. As a result of a third party's attack on a user device or client system, the third party may obtain and/or use such information for malicious purposes while generating, transmitting, storing and/or authenticating login information. For example, a third party can log into the client system using the obtained login information. Hence, by obtaining more login-related information from the client system, unauthorized access to the client system is achieved, or it moves laterally to the system connected to the client system. As another example, third parties may use data, documents or transactional information obtained from attacks for a variety of unauthorized purposes (i.e., distributing information to counterparties, using information to gain market advantage, ransom money, espionage, subversiveness). Etc.). The present invention reduces the vulnerability of the client system to unauthorized use of data, documents or transactional information generated, transmitted and/or stored between the client system or the client device and the user device.

The method of the present invention involves a user using a user device to log into an organization or individual's client system. Login related information is hashed and/or encrypted through a single or multi-layer hashing and/or encryption process. In particular, at least a portion of the encryption and/or hashing key may be generated and stored on the user's device. Other unique pieces of login-related information are stored on different devices in the environment. Payment of a unique portion of login-related information between multiple devices indicates that a third party accessing information transferred between the client system and the user's device is unable to obtain some or all of the information required to successfully log in to the client system. it means. Also, in one aspect of the current system, in order to authenticate a data document, device, transaction and/or user, the user's device must prove that it has a valid key on the client system or that the device has previously been authenticated. This will be achieved by the present invention without the need for the user device to disclose the key to the client system. Thus, authentication of data, documents, devices, transactions and users can occur without the user revealing his or her key to the client system.

Login related information is generated uniquely and is not stored and/or transmitted; This prevents unauthorized third-party access to the client system along with user device support multi-point authentication.

Since most prior art authentication systems involve the generation, storage, transmission and single point authentication of login-related information between the user's device and the client system, prior art systems are vulnerable to such information being compromised by third parties. Do. If such information is obtained by a third party, this information can be used to log into the system network from a single point of authentication without authentication or unauthorized use of data, documents or transaction information. The present invention provides an advantage over prior art systems in that the client system is not vulnerable to third party access to information that allows unauthorized access to data, documents or transactional information. The authentication system of the present invention solves the prior art authentication problems that can be compromised at generation, storage, transit and authentication points.

As an example of another advantage of the invention over prior art systems, prior art systems are generally not capable of operating with any type of client system, or any type of user device. The present invention provides an organization with a secure authentication system that will provide users with the necessary secure access to access their organization's data through any platform, solution or environment. The present invention may be implemented by any organization for use with any type of client system and any user device on any platform.

Another example of the advantages of the present invention over the prior art is that the present invention can perform hive authorization of devices within the environment. For example, multiple mobile and/or storage devices across a geo-temporal zone can be authenticated in the Hive authentication process. Prior art systems cannot be operated to perform hive authentication over a geo-time domain.

Embodiments of the present invention may include a number of components operable to authenticate a user for a user login to a client system having a secure portion therein or for a user to access a secure portion of such a system. For example, an embodiment of the present invention may include three main components as follows: (1) Synchronized Multi-Face Authentication (SMFA); (2) Interactive Semi-Manual Authentication (ISMA); (3) Transaction authentication. To provide an example of this embodiment of the present invention, all three of these components of the embodiment of the present invention are described below. A skilled reader will recognize that other configurations of the invention are possible, including configurations including only one or two of the three components described below, or configurations including other components.

[11]

Synchronized Multi-Faceted Authentication (SMFA)

The authentication method and system for a user of the present invention is that the encrypted and/or hashed portion of random multi-unit login related information is distributed between devices (e.g., users and/or system devices and storage units) and such devices All of them should be used to authenticate the user.

Therefore, when login data is generated, transmitted, stored or compromised during authentication (e.g., unauthorized access by third parties, etc.), only the encryption and/or hashing portion of time-sensitive random login-related information of unknown user(s) is Will be obtained, and this data cannot be used to authenticate the user.

More specifically, the present invention provides a challenge for a user to log into a client system, e.g., a static challenge, a pin and/or pattern challenge, an animated and/or non-animated challenge, a graphic and/or non-graphical challenge, two-dimensional and /Or 3D challenges, mobile and/or static gamified challenges, and/or non-gamified interface challenges. The system can select a set of units and use them to create challenges. Each unit is randomly assigned several digits and can be changed for each login event. The user can select multiple challenges in the same authentication event and all subsequent authentication events.

The set of units selected during the challenge is divided into several unique system parts by the authentication system. The units of each unit part can be individually hashed or encrypted to produce a unit result. The units of each system part are collectively hashed and/or encrypted to produce a system part result. Each device in the system part and the number of hashing and/or encryption applied to each system part may vary.

A portion of the hashed and/or encrypted result is stored on the client or on another device in the distributed architecture of the other system and a portion on the user's device. For example, portions of the hashed and/or encrypted results may be stored on multiple users and system devices.

User devices as well as all client system devices that contain hashed and/or encrypted partial data must self-verify. Once the device is authenticated, users can be jointly authenticated.

The present authentication system invention is platform independent and thus can be used with any client system.

Interactive Semi-Manual Authentication (ISMA)

The authentication process for the user of the present invention operates such that login information is encrypted and/or hashed using a multi-layer encryption and/or hashing function. Some of the random encryption and/or hashing details are not stored on the client system or user device, but are manually transmitted and held back, thereby reducing the likelihood of being compromised during transmission, storage or authentication.

The system of the present invention provides the key (ie, key #1) to the mobile device. All keys of the present invention are encrypted and/or hashed using multi-layer encryption and/or hashing functions.

The encrypted key must be used in the authentication process of the present invention, so the user must first authenticate using the SMFA process described here, and thus must validate the key and authenticate the user's device.

The system creates a challenge based on a random encrypted key that changes with each login event. The authenticated user scans the challenge using the authenticated device. At the end of this process some or all of the randomly encrypted keys are transmitted to the user device.

In some embodiments of the invention, there may be different sets of encrypted random keys that may be generated by the user device to be changed at each login event. Multiple keys that can be combined to form an encrypted shared secret key; Some or all of the encrypted shared secret key is sent to the client system of the organization requesting the user's authentication.

Multiple encryption layers may be created by the user device. These encryptions can be applied individually or collectively to the elements. For example, a random number of 3 or more digits (which may change during each login event) with salt and iv may be generated by the user device, or other types of encryption and/or hashing may be applied. . Other encryption layers can be added collectively to the previous encryption.

Multiple layers of encryption remove multiple random characters from the package. For example, 6 random characters can be removed from the package. A number of random numbers and letters will be presented to the user and the encrypted details will be sent to the client system requesting authentication of the user device.

A client system requesting authentication of the user device will require the user to provide the information provided to the user device. Only users who provide such information can the client system authenticate the user. This process reduces the likelihood of third parties intercepting, guessing, or knowing the user's login information.

Once the user is authenticated, the session is authenticated via time and geo-based access code. For example, the geo-based access code may be a token or other type of geo-based access code. Geo-based access codes may be invalidated when time expires or geographic aspects become invalid. For example, geographic features may be invalidated if the user is not within a geographic location associated with a geographic-based access code.

Transaction Authentication

The authentication process for the user of the authentication system of the present invention operates so that the transaction is authenticated without the need for the user to disclose his or her key to the client system. The client system does not know the user's key, or whether the user has a key. The user device does not disclose the key to the system and must prove to the system that it has a valid key and that the user and device are authenticated. To achieve this, the user device will have to authenticate using the SMFA process described herein and/or the ISMA process described herein. When the user device is authenticated, the user device can use a random temporary key that it has or has received.

The system creates a challenge. This challenge can be protected using features such as multi-layer encryption, digital signatures and/or hashing. The security package is sent to the user device requesting authentication. The user device can check the package and use the decryption key provided on the display or troubleshoot.

By way of example, an embodiment of the present invention may be operable to allow the system to generate a plurality of random numeric alphanumeric codes in which one or more numbers are blank, and the corresponding alphabet or number to be written in the blank is also accompanied by a challenge in the ISMA process. Will be sent to the user. For example, the system may generate six or more of a plurality of random alphanumeric codes, or any other number of random alphanumeric codes.

The system generates and encrypts 6 or more random numeric alphanumeric codes and other elements. For example, the system may encrypt a random numeric alphanumeric code of 6 or more digits. Additional encryption and security functions (including but not limited to salt, iv, security keys, etc.) can also be applied by the client system. The system then adds a digital signature to the encryption result. This encrypted and signed package is sent to the user device requesting authentication.

The user device verifies the digital signature and then uses the provided decryption key to regenerate a 6 or more alphanumeric code with the corresponding alphabet or number.

The user device then encrypts the regenerated information with security functions. The user device then adds a digital signature to the encryption result. This encrypted and signed package is sent to the client system involved in the authentication process.

The client system receives the message from the user device, upon receipt, verifies the digital signature, decrypts the message, and compares the message with the sent message. As a result of the comparison, if the received message is the same as the transmitted message, the client system knows that the user has the required key. Once the user device is authenticated, the session is authenticated via time and region based access codes. These access codes will be invalidated when the time expires or the geography becomes invalid as described above in this specification.

The skilled reader will recognize that the authentication method and system of the present invention can be implemented in a variety of ways. 1-17 provide some examples of embodiments of the present invention, which are described herein.

As shown in Fig. 1, an authentication system incorporates many elements including a client system, a user system, a verification system, and multiple storage units. The authentication system can perform many functions, such as verifying and verifying the user's login.

User system 102 is used by a user to log in to a client system 902. The user system may be involved in verifying the user's identity and other activities, as described herein. In order for a user to access a secure area of a client machine, the client machine must verify the user's identity. The verification system 202 may be involved in verifying the user's identity to the client system.

When a user wishes to access a secure area of a client system through the user device 90, the user must first prove the user's identity to the client system. Once the client system receives verification of the user's identity, the system may allow the user to access the secure content of the client system.

Users use the user system to prove their identity and access secure areas of the client system. The verification system 202 is operable to verify the authenticity of the user's identity. Synchronization system 300 is a set of one or more synchronization elements 302A?? 302N operable to function in a synchronized manner to authorize the authenticity of a user identity.

The user system can include multiple elements. In one embodiment of the present invention, the user system includes a proving unit 104, a display unit 106, a processing unit 108, and an approval unit 112. , May include a storage unit 110 and a communication unit 114. The authentication unit is operable to prove the initial identity of the user system 102 to the verification system. The display unit is operable to display information to the user, such as a challenge or any other information transmitted to the user system from, for example, a client system, a verification system, or any other system or element of the invention. The display unit is also operable to display information generated by the client system to the user. The display unit can also be connected to the input unit, or have a touch screen or other input operability, so that the user can input information. Information entered by the user may be displayed on a display unit, or otherwise may be collected and stored by the user system, transmitted to other systems or elements of the client system or authentication system, or processed by the user system. The processing unit 108 will be responsible for all processing capacity in the system. The authorization unit 112 is responsible for accessing the challenge and response and providing results, and the storage unit is responsible for storing both temporary and permanent data. The communication unit 114 is responsible for all external communication.

The verification system 202 may include a number of elements. In one embodiment of the present invention, the verification system includes a masker unit 204, an N-packet generator 206, a report generator 208, and a processing unit. It may include a unit 210, an approval unit 212, one or more storage units 214A??214N, and a communications unit 216. The masker unit is operable to generate one or more unique non-identifying identifiers for the client system and user system. The processing unit 210 may perform processing of information and data required by the authentication system. The authorization unit 212 is operable to access responses received internally in the system and provide results that can be transmitted to a processing unit or to a receiver external to the system through a communication unit. One or more storage units are operable to store both temporary and permanent data. The N-packet generator 206 is operable to generate a packet of authentication information. The communication unit 216 is operable to receive and transmit all communications with all elements of the authentication system external to the verification system (ie, client system, user system, etc.).

The skilled reader will recognize that some or all of the units described as elements of the verification system of FIG. 1 in an embodiment of the present invention may be incorporated into other systems or elements of an authentication system, such as a client system. In some embodiments of the present invention, some or all of the units described as elements of the verification system in FIG. 1 may not be included in any system of the authentication system, but may generally be standalone elements integrated into the authentication system.

The synchronization system 300 may include one or more synchronization elements 302A?? 302N, and each synchronization element may include multiple units. In one embodiment of the present invention, at least two synchronization elements are the authentication unit 304A?? 304N, the storage unit 308A?? 308N, the processing unit 306A?? 306N, the authorization unit 312A?? 312N and It may include a communication unit (310A?? 310N). The authentication unit 304A is operable to prove the initial identity of the synchronization system 300 to the verification system 202.

Communication between user systems, verification systems and synchronization elements are received by and transmitted from the communication units of such systems and/or elements. All such communication between systems and/or elements may be protected by the use of one or more masking functions, and one or more masking functions may include hashing and/or encryption.

As shown in FIG. 2, data may be transferred between the verification system's masker unit 204 and the client system 902 via the verification system's communication unit 216. During the initial communication between the client system and the verification system regarding the setup of a new user who wants to use the client system, the client system communicates with the verification system's masker unit to allow the new user to establish a secure connection with the client system. You can ask for proof. The masker device generates unique security credentials that the client system can use to establish a link between the client system and the verification system. These unique credentials may include, for example, a client ID or other form of credentials.

Once a trusted connection is established between the client system and the verification system, the masker unit performs a process such as a computation, algorithm, or other type of process that will generate a unique non-identifying identifier that is secret to the user. The unique non-identifying identifier may be stored in one of the storage units 214A (or any of storage units 214A ... 214N) incorporated in the verification system.

The masker unit may use masking functions such as hashing, encryption and/or other masking functions to secure the non-identifying identifier. The client system may also provide a list of all available synchronization elements to the verification system. In an embodiment of the present invention, one or more synchronization elements may be stored in one or more storage units 214A?? 214N of the verification system.

As shown in Fig. 3, the registration process of the present invention may include the operation of elements of the authentication system required during the initial interaction of the user with the authentication system in order for the user to register with the client system. All communication between the client system, the elements of the user system, the elements of the verification system and the elements of the synchronization system is made via the communication units of the user system, the verification system and the synchronization system as shown in FIG. In order to be authorized to access the secure part of the client system, the user must register with the client system. During initial registration, the authentication unit 104 accesses one or more storage units 110 of the client system to retrieve the authentication information. The proof information may include a non-identifying identifier generated by the masker unit, a secret generated by the masker unit, and also a user device, a unique application number, and, for example, biometric information (e.g., It may include information for identifying other information related to the user, such as a user's fingerprint, a user's retina scan, or other biometric information of the user), usage information, and the like. Once the proof unit has obtained all the proof information, the proof information can be stored in one or more storage units of the user system.

The authentication information obtained by the authentication unit 104 is securely transmitted to the processing unit 210 of the verification system via the communication unit 114 of the user system. The processing unit 210 retrieves information about the user from one or more storage units 214A??214N of the verification system via the communication unit 216 of the verification system. The processing unit 210 generates an information package by combining the information received from the client system and information retrieved from one or more storage units of the verification system. The processing unit transmits this information package to the authorization unit 212.

The authorization unit 212 compares the value of the information package received from the processing unit with information stored in one or more storage units 214A??214N of the verification system previously received from the client system. If the comparison is successful, the authorization device accepts the connection with the user system. If the comparison is not successful, the authorization unit 212 will refuse to connect with the user system. The results of the authorization system are sent to the N-packet generator 206.

If the connection with the user system is not approved, the work of the authentication system attempting to register the user ends. In one embodiment of the present invention, the N-packet generator generates a random challenge when the connection with the user system is approved. The random challenge may include multiple packets (N-packets). Each N-packet contains a number of random numbers or alphanumeric/other characters (N-RANC).

The N-packet is safely transmitted to the display unit 106 of the user system. Embodiments of the present invention include, but are not limited to, encryption, hashing and/or digital signatures to provide security to N-packets transmitted between the N-packet generator and the display unit, for example, N- A multi-layer of protection, which is a multi-layer protection of both RNAC and N-packets, can be applied. In another embodiment of the invention, the N-packet may be generated by an element of the user system or by another system with or without N-RNAC. The user interacts with this element to create an OY-packet.

The display unit 106 receives the N-packet and displays information contained in the N-packet to the user. From the displayed N-packets, the user selects the N-RANC associated with the selected N-packet by inputting one or more N-packets. For ease of reference, the N-packet selected by the user is a Y-packet herein. The order in which the user selects Y-packets is maintained to be ordered Y-packets (OY-packets). The OY-packet is transmitted by the display unit 106 to the processing unit 108 of the user system. The processing unit of the user system divides the OY-packet into two or more parts. Each part may contain more than one N-packet.

The processing unit of the user system can mask OY-packet information by applying a masking function to each part of the OY-packet. For example, the processing unit of the user system may apply masking to one or more of the following: each N-RNAC incorporated into an OY-packet and/or each Y-packet incorporated into an OY-packet and/or Each OY-packet. The results of one or more masking may be stored in one or more storage units 110 of the user system. The unsaved results are sent to the processing unit of the verification system.

The challenge generated by the N-packet generator transmitted to the display unit of the user system may contain multiple N-packets, and each N-packet may contain three or more N-RANCs. The user can select multiple Y-packets to form an OY-packet. The OY-packet can be divided into two parts (i.e., OYA- part and OYB- part).

The processing unit of the verification system may apply hashing and/or encryption and then select two or more random synchronization elements of the synchronization system from a list stored in one or more storage units of the verification system. The selected random synchronization element forms a synchronization registry. The processing unit of the verification system can individually or collectively add secrets to the OY-packet portion, and individually and/or collectively perform multi-layer hashing and/or encryption functions on the OY-packet portion. . The hashed and/or encrypted unique OY-packet portion may be distributed among one or more synchronization elements, and the OY-packet portion may be stored in one or more storage units in one or more synchronization elements being distributed. As a result, the unique OY-packet portion is stored in another synchronization element. The distribution information portion may be stored in the synchronization registry of the synchronization element.

As shown in Fig. 4, the authentication system is operable to perform an access process, where the registered user attempts self-authentication through the operation of the verification system to gain access to the secure portion of the client system. All communication between the elements of the user system, the elements of the verification system and the elements of the synchronization system, as shown in Fig. 4, is made through the synchronization element of the communication unit of the user system, the verification system and the synchronization element of the synchronization system. The authentication unit 104 of the user system accesses one or more storage units 110 of the user system to retrieve the authentication information. The proof information may include a non-identifying identifier and a secret.

Some or all of the proof information obtained by the proof unit is safely sent to the processing unit 210 of the verification system through the communication unit 216 of the verification system, and through the communication unit 114 of the user system. The processing unit 210 retrieves information about the user from one or more storage units 214A??214N of the verification system. The processing unit 210 combines information received from the client system with information retrieved from one or more storage units of the verification system to generate an information package. The processing unit sends this information package to the authorization unit 212 of the verification system.

The authorization unit 212 compares the value of the information package received from the processing unit 210 with information stored in the verification system previously received from the client system. If the comparison is successful (i.e. the information compared as a result of the comparison works), the authorization device accepts the connection with the user system. If the comparison fails, the authorization device rejects the connection with the user system. The results of the authorization system are sent to the N-packet generator 206.

If the connection with the user system is not approved, the operation of the authentication system attempting user registration is terminated. When the connection with the user system is approved, the N-packet generator generates a random challenge. The random challenge may include two or more packets (N-packets). Each N-packet has two more random or alphanumeric characters (N-RANC). Multi-layer hashing and/or encryption can be applied to the challenge sent to the display unit. Hashing and/or encryption is applied by a random generator.

The N-packet is safely transmitted to the display unit 106 of the user system. Embodiments of the present invention may apply multi-layer hashing and/or encryption to provide security to N-packets transmitted between the N-packet generator and the display unit. For example, multilayer hashing and/or encoding may include hashing and/or encoding N-RNACs and/or N-packets prior to movement. The display unit 106 receives the N-packet and displays the corresponding information to the user. From the displayed corresponding information, the user selects two or more corresponding information by selecting an N-packet and an N-RANC associated with the selected N-packet. For ease of reference, the N-packets selected by the user are Y-packets in this specification, and these Y-packets are ordered and are referred to as OY-packets. In another embodiment of the present invention, the N-packet generator generates Y and/or OY-packets by interaction with the user through user systems and/or any elements from user systems or other systems such as cameras, scanners, etc. It can exist in other systems that can be created.

The OY-packet is transmitted by the display unit 106 to the processing unit 108 of the user system. The processing unit of the user system divides the OY-packet into several parts. Each part contains several N-packets.

The processing unit 108 of the user system retrieves the previously stored OY-packet portion from one or more storage units of the user system where the previously stored OY-packet portion is stored. The processing unit transmits the previously stored OY-packet portion and the more recently generated OY-packet portion to the authorization unit 110 of the user system. The approval unit of the user system compares the information received from the processing unit of the user system with the previously stored OY-packet part to generate an approval result or rejection result. The result generated by the approval unit of the user system (ie, the approval result or rejection result) is transmitted to the processing unit of the user system. If the result of the approval unit of the user system is a rejection result, the authentication process is stopped.

If the result of the approval unit of the user system is the result of approval, the processing unit of the user system may store one or more recently generated OY-packet parts in one or more storage units of the user system, and the remaining OY-packet parts of the verification system. Send it to the processing unit. The processing unit of the verification system retrieves the synchronization system information for the user from the synchronization registry. The processing unit of the verification system may add secrets to the received OY-packet parts and perform multi-layer hashing and/or encryption functions on these OY-packet parts. After hashing and/or encryption, the processing unit of the verification system may transmit the hashed and/or encrypted portion of the unique OY-packet to one or more processing units 302A??320N of the synchronization elements of the synchronization system. Each processing unit of the synchronization element receives a hashed and/or encrypted unique OY-packet portion from the processing unit 210 of the verification system. Each synchronization element of the synchronization unit receiving the hashed and/or encrypted OY-packet portion may perform a process as shown in FIG. 5. The synchronization element's processing unit 306A?? 306N may decode the hashing and/or encryption to determine and identify one or more N-packets and N-RANCs. The processing unit of the synchronization element may transmit the N-packet and the N-RANC to the granting unit 312A?? 312N of the same synchronization element.

The authentication unit 304A?? 304N of the synchronization unit retrieves the previously stored hashed and/or encrypted OY-packet portion from the storage unit 308A?? 308N of the synchronization element. The authentication unit of the synchronization unit can decode the hashing and/or encryption to determine and identify one or more N-packets and N-RANCs, which are transmitted to the authorization unit of the synchronization element. The acknowledgment unit of the synchronization element compares the recently generated N-packet and N-RANC with the previously stored N-packet. Based on this comparison, a pass value or a fail value is generated. The generated pass value or fail value is transmitted to the verification unit of the synchronization element.

The authentication unit of the synchronization unit retrieves the authentication information from one or more storage units of the synchronization unit, and the authentication information and the pass value or the failure value received by the authentication unit may be hashed and/or encrypted and transmitted to the processing unit of the verification system. .

The processing unit of the verification system receives the hashed and/or encrypted result and verification information from each verification unit of each synchronization element that generated such information. For clarity, multiple synchronization elements may have received a unique OY-packet portion, and each such synchronization element will process the OY-packet portion according to the method discussed herein. All communication between the user system elements, the verification system and the client system are made through the communication units of the user system, the client system and the verification system as shown in FIG. 6. 6, the processing unit 210 of the verification system 202 decodes the verification information received from each synchronization element 302A?? 302N, and converts the decoded information into an approval unit of the verification system ( 212). The processing unit 210 of the verification system retrieves the proof information from one or more storage units 214A??214N of the verification system. The processing unit of the verification system transmits the retrieved authentication information to the approval unit of the verification system. The authorization unit of the verification system approves the synchronization element using the received information.

The processing unit of the verification system decodes each pass and/or fail value received from the synchronization element. The decoded values are stored as verification results in one or more storage units of the verification system. The verification result report can be generated by the processing unit of the verification system or the report generator 208, which contains various information, e.g., the total synchronization factor requested, the number of passed values received, the number of failed values received, and synchronization. System confidence scores and other information may be included. The processing unit of the verification system may hash or encrypt the verification result, and transmit the hashed and/or encrypted verification result to the processing unit 108 of the user system 102 via the communication unit 216 of the verification system. The processing unit of the user system transmits the hashed or encrypted verification result to the client system 902. The client system submits an authentication request to the processing unit 210 of the verification system through the communication unit 216 of the verification system based on the verification result received by the client system. The processing unit of the verification system retrieves the verification results stored in one or more storage units of the verification system, and transmits the retrieved results to the approval unit of the verification system. The authorization unit of the verification system will review the retrieved results, approve them, and transmit the verification results to the client system to determine whether to authenticate the user based on the verification report results.

After the user has been authenticated and granted access to the secure part of the client system, the user has access to information (i.e. data, documents, transaction information, etc.) and/or user information (i.e. text, data, etc.) to the client. Can be provided to the system. For example, a user may access a client system to send a message, make a purchase related to a credit card payment, attach an electronic signature to a document, or use it for a variety of other purposes. In the process of interaction between the user and the client system through the user system, user information is transferred between the client system and the user system. The present invention is operable to protect the security of such user and authentication-related information during generation, movement, storage and authentication.

To achieve this security, embodiments of the present invention may include a user system, a client system, a client display unit, and a verification system. The user system may be wholly or partially integrated into the client device used by the user to communicate with and access the client system. The skilled reader will recognize that embodiments of the present invention that achieve security for user and authentication related information transferred between the user device and the client system may include other elements.

The user uses the user device to verify the user system and the user's credentials to the client system. The user's credentials and the user's system must be checked to ensure that the user is authorized to access the secure portion of the client system. Users can perform certain functions or access certain information through the secure portion of the client system only when authenticated. For example, if the user and the user system are authenticated, the user can only approve specific transactions through the client system. Since the client system is a system that the user attempts to access, it must perform authentication. The verification system of the present invention, as described herein, will verify the identity of the user and the user system and cause the client system to recognize the user and the user system as being authenticated.

As shown in Fig. 7, the user system 101 used to transmit user information to and from the client system may include a number of elements. For example, an embodiment of the present invention is an interaction unit 103, a verifier generator 105, a noise generator 107, a processing unit 109. , A user system comprising a storage unit 111 and a reader unit 113.

As shown in Figure 8, the client system 130 of an embodiment of the present invention may include a number of elements. For example, embodiments of the present invention include a client system comprising a CSAP generator 131, a storage unit 133, a processing unit 135, a challenge generator 137, and an approval unit 139. can do.

As shown in Fig. 9, the client display unit 150 of the embodiment of the present invention may include a number of elements. For example, an embodiment of the present invention is a client display unit including an interaction unit 151, a processing unit 153, a temporary storage unit 155, and a key generator 157. It may include.

As shown in Fig. 10, the verification system 140 of the embodiment of the present invention may include a number of elements. For example, an embodiment of the present invention is a verification system including a random key generator 141, a random text generator 143, a USID generator 145, and a processing unit 147. It may include.

When a user attempts to log in to the secure part of the client system, the user will declare his intent through interaction with the client display unit and enter the request using the interaction unit of the client display unit. As shown in Fig. 11, the interaction unit 151 will pass the request to the processing unit 153 of the client display unit, and the processing unit of the client display unit will then pass the request to the processing unit 147 of the verification system. will be. The processing unit 109 of the user system requests to generate an Alpha Key (αk) combo consisting of αk1 and αk2 keys transmitted to the key generator 157 of the client display unit through the processing unit 147 of the verification system. Will generate The key generator of the client display unit sends αk1 and αk2 to the processing unit 147 of the verification system.

[27]

Subsequently, the processing unit 147 of the verification system requests a random text from the random text generator 143 of the verification system, and a unique system & event identifier (USID) from the USID generator 145 of the verification system ). The random text generator generates random text and sends the random text to the processing unit 147 of the verification system. The USID generator generates the USID and sends the USID to the processing unit of the verification system. The USID generator is operable to identify verification systems, user devices, and events attempting to connect to a secure area of the client system. The USID may be unique to each tab of a browser or multiple browsers to identify and control the number of browsers or tabs open for use by the user.

The processing unit 147 of the verification system combines the USID and random text received with αk2 into a data string, converts the data string into a machine-readable format, and transmits it to the processing unit 153 of the client display unit. The interaction unit 151 of the client display unit makes the information available to the reader unit 113 of the user system.

As shown in Fig. 12, after the process of Fig. 11 is completed, the information is made available to the user system through the reader unit 113. The reader unit 113 may be integrated into the client device or may be external to the client device, but may include any of the following auditory, visual, tactile, print, motion, and other types of sensors that may be connected via a wired or wireless connection. It may include one or more sensors. The sensor can be used to obtain information related to the user.

The reader unit 113 then transmits the obtained information to the processing unit 109 of the user system. The processing unit of the user system can separate and retain the information it has received from the reader unit. The processing unit 109 of the user system will request noise from the noise generator 107 107 of the user system. The noise generator generates noise and sends the noise to the processing unit of your system. Noise is used to mask the identity of the information being transmitted.

If the user has been previously authenticated by the client system, the user system may have a random Delta 1 Key (δk1).

The processing unit of the user system will send αk2 and δk1 to the verifier generator 105 of the user system. The processing unit will also send a request to the user system's verifier generator requesting the generation of a new beta key. In response to this request, the verifier generator generates Beta Key 1 (βK1) and Beta Key 2 (βK2) using αk2 and δk1. The verifier generator 105 will send βK1 and βK2 to the processing unit 109 of the user system.

The processing unit of the user system will also access the storage unit 111 of the user system and request generation of a Delta 1 Key and/or a session code and/or a session code. The storage unit 111 may provide the delta 1 key to the processing unit of the user system or generate a session code and provide it to the processing unit of the user system. For example, the processing unit 109 of the user system requests that the random key generator 141 of the verification system generate a random delta 1 key and/or a session code and provides it to the processing unit 109. Thus, it is possible to generate a hashing value for δk1 or SC provided.

The processing unit of the user system may generate a manual interaction code (MIC) using information obtained from each of the noise generator, the storage unit of the user system, and the verifier generator. The processing unit of the user system may transmit the MIC to the interaction unit 103 of the user system. The interaction unit 103 of the client display unit will display the MIC to the user.

When the MIC is generated, residual data ("post-MIC data") exists. The processing unit of the user system may perform symmetric or asymmetric encryption on post-MIC data. The processing unit of the user system may transmit the post-MIC data and the hashing value to the processing unit 135 of the client system.

As shown in Fig. 13, when MIC, post-MIC data and hashing values are generated by the user system, the processing unit 135 of the client system receives the post-MIC data and hashing. The processing unit 135 of the client system transmits the hashing value to be temporarily stored in the storage unit 133 of the client system. The post-MIC data is transmitted to the processing unit 153 of the client display unit.

The processing unit 153 of the client display unit combines αk1 and the post-MIC data as a package and sends this package to the key generator 157 of the client display unit. The processing unit 153 requests the key generator 157 of the client display unit to generate a gamma key γK. γK is transmitted to the processing unit 153 of the client display unit by the key generator of the client display unit.

The user now has to interact with the interaction unit 151 of the client display unit. The user must manually enter the MIC. Once input, the MIC is transmitted to the processing unit 153 of the client display unit by the interaction unit of the client display unit. The processing unit 153 makes SC or δk1 available using γK, MIC and package. The processing unit of the client display unit calculates the hashing value for SC or ?k1 and transmits the hashing value to the authorization unit 139 of the client system for verification.

Any information received or generated by the processing unit of the client display unit may be temporarily stored in the temporary storage unit 155 of the client display unit at any time during the processing activity of the processing unit 153 of the client display unit. .

The processing unit 135 of the client system retrieves the hashing value temporarily stored in the storage unit 133 of the client system. The processing unit of the client system transmits the hashing value of SC or ?k1 and the value retrieved from the storage to the authorization unit 139 of the client system. The approval unit 139 determines matching by comparing the hashing values.

If the hashing values match, the authorization unit 139 checks the matching with the processing unit 135 of the client system.

As shown in FIG. 14, upon receiving this match confirmation, the processing unit 135 of the client system requests a Client Session Access Pass (CSAP) from the CSAP generator 131. The CSAP generator 131 generates a CSAP that is transmitted to the storage unit 133 of the client system and temporarily stored. The CSAP generator 131 also sends the CSAP to the processing unit 147 of the verification system. The processing unit 147 of the verification system sends the CSAP to the processing unit of the 153 client display unit. The processing unit 153 of the client display unit transmits the CSAP to the processing unit 135 of the user system. The processing unit 135 of the user system sends the CSAP to the authorization unit 139 of the client system. The authorization device of the client system verifies the CSAP. The processing unit of the user system receives notification of such confirmation and operates to allow the user to access the secure portion of the client system.

If the authorization unit 139 of the client system determines that the values do not match, then the user, the user system and the client display unit are not authenticated.

The CSAP generator 131 of the client system can be used to test conditions related to user authentication; In accordance with the method described herein, periodic of the user system and the client display unit through the creation of the CSAP, processing and verification system by the processing unit of the client system, the user system, to other processing units of such CSAP of the client display unit. Processing and storage of such CSAPs in the storage unit of the client system, the user system and the client display unit by the transmission of.

For example, if the authorization unit of the client system determines that the authentication condition has not been met with respect to the CSAP, for example, a determination that the CSAP received by the processing unit of the client system and the stored CSAP do not match, then the user, user The authentication of the device and the client display unit (i.e., CSAP authentication) will be revoked, and the access to the terminated security area for the user, the user device and the client display unit will be terminated.

CSAP conditions for authentication applied in embodiments of the present invention may include conditions related to any of the following: dimension, geo-temporal, machine learnt artificial intelligence. ), behavioral, or other condition.

Another embodiment of the present invention shows in FIG. 15 that a user attempts to verify a transaction through access to a secure portion of a client system using a client display unit. The processing unit 153 of the client display unit sends a request to the processing unit 135 of the client system to verify the transaction. In response to such a request, the processing unit 135 of the client system sends the request to the challenge generator 137 of the client system to generate a challenge. According to such a request, the challenge generator 137 of the client system may generate a challenge, and further apply a hashing value to the result of the challenge, and store the solution and/or the hashing value in the storage unit 133 of the client system. do. The challenge generator of the client system will send the challenge to the processing unit 135 of the client system.

The processing unit 135 of the client system may apply symmetric and/or asymmetric encryption to the challenge. The processing unit 135 will send the challenge to the processing unit 153 of the client display unit. The processing unit 153 of the client display unit can decrypt the challenge using the provided key, and will transmit the challenge to the interaction unit 151 of the client display unit. In one embodiment of the present invention, the user may need to interact with the interaction unit 151 of the client display unit to find a solution to the challenge. In another embodiment of the present invention, the processing unit 153 of the client display unit can solve the decrypted challenge.

When the user using the client display unit finds a solution for the challenge, the user solution is transmitted to the processing unit 153 of the client display unit. The processing unit 153 of the client display unit can generate a hashing value based on the user solution, and the processing unit of the client display unit can add symmetrical or asymmetric encryption to this hashing value and/or solution. The processing result by the processing unit (eg, hashing value or encrypted hashing value, or solution or encrypted solution) of the client display unit may be transmitted to the processing unit 135 of the client system. The processing unit 135 of the client system may send a request to the storage unit 133 of the client system to retrieve the stored solution and/or the stored hashing value. In response to such a request, the storage unit 133 of the client system will retrieve the stored solution and/or the stored hashing value, and transmit the stored solution and/or the stored hashing value to the processing unit 135 of the client system.

The processing unit 135 of the client system will decrypt any encrypted hashing value or encrypted solution and/or unencrypted hashing value received from the processing unit 153 of the client display unit. The processing unit 135 of the client system transmits the hashing value and/or solution (in unencrypted form) received from the processing unit 153 of the client display unit, and the stored solution and/or the stored value is transferred to the client for approval. It has value in the approval unit 139 of the system. The authorization unit 139 of the client system will compare the received solution with the stored solution and/or the received hashing value with the stored hashing value.

If the received solution and/or hashing value matches the stored solution and/or hashing value, the authorization unit 139 will send a confirmation to the processing unit 135 of the client system of the match. If the match is positive, the processing unit 135 of the client system will send a confirmation of the positive match to the client system to confirm that the authentication of the transaction has been successfully completed and the client system will approve the transaction.

If the received solution and/or hashing value does not match the stored solution and/or hashing value, the acknowledgment unit 139 will send a notification that there is no match to the processing unit 135 of the client system. The processing unit of the client system sends a notification to the client system and advises the client system not to authenticate the transaction.

In another embodiment of the present invention, the processing unit of the verification system may perform the functions described for the processing unit of the client system according to FIG. 14. In this embodiment of the present invention, the challenge generator unit and the approval unit may be integrated into a client system or a verification system, and such a challenge generator unit and approval unit are according to FIG. 14 of the challenge generator 137 and the approval unit 139. It will have the same functionality as described.

Another embodiment of the present invention, wherein the user attempts to verify a transaction using the user system is shown in FIG. 16. In this embodiment of the invention, the processing unit 109 of the user system verifies the transaction by sending a request from the processing unit 135 of the client system. In response to such a request, the processing unit 135 of the client system sends a request to the challenge generator 137 to generate the challenge. In response to such a request, the challenge generator 137 creates a challenge, additionally applies a hashing value to the result of the challenge (the solution of the challenge), and stores the solution and/or hashing value in the storage unit 133 of the client system. do. The processing unit 135 of the client system may apply symmetric and/or asymmetric encryption to the challenge. The processing unit 135 will send a challenge that can be encrypted to the processing unit 109 of the user system. The processing unit 109 of the user system can decrypt the challenge, and if the challenge is encrypted, it will send the challenge to the interaction unit 103 of the user system. In one embodiment of the invention, the user may have to interact with the interaction unit 103 of the user system to find a solution to the challenge. In another embodiment of the present invention, the processing unit 109 of the user system can solve the decrypted challenge.

When the user finds a solution for the challenge, the user solution is sent to the processing unit 109 of the user system. The processing unit 109 of the user system may generate a hashing value based on the user solution, and the processing unit 109 of the user system may add symmetric or asymmetric encryption to this hashing value and/or solution. The processing result (eg, hashing value or encrypted hashing value, and a solution or encrypted solution) by the processing unit 109 of the user system may be transmitted to the processing unit 135 of the client system. The processing unit 135 of the client system may send a request to the storage unit 133 of the client system to retrieve the stored solution and/or the stored hashing value. In response to such a request, the storage unit 133 of the client system will retrieve the stored solution and/or the stored hashing value, and transmit the stored solution and/or the stored hashing value to the processing unit 135 of the client system.

The processing unit 135 of the client system will decrypt any encrypted hashing values or encrypted solutions received from the processing unit 109 of the user system. The processing unit 135 of the client system transmits the hashing value and solution received from the processing unit 109 of the user system (in unencrypted form) to the approval unit 139 of the client system for approval, and stores the solution and /Or what is stored has a value. The authorization unit 139 of the client system will compare the received solution with the stored solution and/or the received hashing value with the stored hashing value.

If the received solution matches the stored solution, or if the received hashing value matches the stored hashing value, the acknowledgment unit 139 will send a confirmation to the processing unit 135 of the client system of the match. The processing unit 135 of the client system sends a matching confirmation to the client system to confirm that the authentication of the transaction is complete and successful.

If the received solution matches the stored solution or the received hashing value matches the stored hashing value, then the acknowledgment unit 139 will notify the processing unit of the client system that there is no match. The processing unit of the client system sends a notification to the client system and advises the client system not to authenticate the transaction.

In another embodiment of the present invention, the processing unit of the verification system may perform the functions described for the processing unit of the client system according to FIG. 16. In this embodiment of the present invention, the challenge generator unit and the approval unit may be integrated into a client system or a verification system, and these challenge generator units and approval units are according to FIG. 16 of the challenge generator 137 and the approval unit 139. It will have the same functionality as described.

Systems and networks for authentication may each include one or more first peers, one or more servers, and one or more second peers each including at least a processor and a transmitter/receiver. One or more first peers and one or more second peers may further include respective memories. In some embodiments, each of the one or more first peers and the one or more second peers may include a visual display. One or more servers may further include a database. Each transmitter/receiver of the first peer, the second peer and the server may be configured to transmit and receive information from an exogenous source. In some embodiments, the first peer may be configured to transmit and receive information from the server, the server may be configured to transmit and receive information from both the first peer and the second peer, and the second peer to transmit and receive information from the server. Can be configured. The memory of the first peer and the second peer and the database of the server may be configured to store information and retrieve information. The visual display includes means for the user to interact with the display, for example data entry, text selection, object selection, and the like.

The processor of the first peer, the second peer or the server may include a processing migrator, a data manipulator, a data converter, a processing generator, and a processing verifier. have. The processing migrater may be configured to migrate data from one component in the first peer, second peer or server to another component in the first peer, second peer or server. By way of example and not limitation, the processing miter may be configured to move data from a memory of a first peer to a processor of a first peer, or from a processor of a second peer to a transmitter/receiver of a second peer. The data manipulator may be configured to manipulate the data, for example, in combination, separation, separation and recombination, rearrangement, etc. By way of example, and not limitation, the data manipulator of the first peer may be configured to separate one or more strings into a first part and a second part, or the data manipulator of the server may be configured to generate a single data packet. And the second portion of the data.

The data converter may be configured to convert a first character string into a second character string, wherein each of the first character string and the second character string may have different lengths, configurations, or any one or more of an arrangement. In some embodiments, the data converter may be configured to apply a hashing algorithm to the first string. In another embodiment, the data converter may be configured to apply an encryption protocol to the first string. In another embodiment, the data converter may be configured to apply a decryption protocol to the first string. Still in other embodiments, the data converter may be configured to apply a hashing algorithm, encryption protocol, decryption protocol, or any other known data conversion method to the first string to generate the second string.

A processing generator can be configured to generate data. In some embodiments, the data may include one or more character strings of any length and may include barcodes and the like. In some embodiments, the data may be generated in a random manner or in an indicated manner. The processing verifier may be configured to compare two or more data and determine if these data are the same or different. In some embodiments, a processing verifier and a processing generator may be paired to determine if the first string and the second string are the same and to generate a response based on the identity of the first and second strings.

The authentication method may include a registration method 1700 and a user log-in method 2000. In some embodiments, registration method 1700 includes generating one or more keys, distributing one or more keys, storing one or more keys in a local database, and storing one or more keys in a server database. I can. As shown in FIG. 17, the registration method 1700 further includes communication between a first peer 1701, a server 1750, and at least one second peer 1775. can do.

In some embodiments of the registration method 1700, the server 1750 may receive a registration request 1702 from a first peer 1701. The server 1750 may transmit registration data 1751 to the first peer 1701. The registration data 1751 may include arbitrary data required for the registration method 1700. In some embodiments, registration data 1751 may include a client registration code 1703. The client registration code 1703 may be composed of one or more characters including letters, numbers, symbols, or any combination thereof, and may be generated by the server 1750. In another embodiment, the registration data includes a user selection object. In yet another embodiment, the registration data may include a combination of one or more client registration codes 1703, user-selected objects, and any other data required for registration.

The registration method 1700 may further include generating a server key 1705 and a client key 1706 from a user input 1704. In some embodiments, server key 1705 and client key 1706 are used to generate registration key 1707. In another embodiment, the server key 1705, the client key 1706, and at least one client registration code 1703 are used to generate the registration key 1707. Other embodiments may include different combinations of client key 1706, server key 1705, and client registration code 1703 that are used to generate registration key 1707. Some information, for example, the client key 1706 and the client registration code 1703 may be stored in the memory 1708 of the first peer 1701. In addition, the registration method 1700 may include transmitting information from the first peer 1701 to the server 1750. In some embodiments, registration key 1707 and server key 1705 are transmitted to server 1750.

The registration method 1700 may include receiving information from the first peer 1701 at the server 1750. In some embodiments, the information received at server 1750 may include registration key 1707 and server key 1705. The server 1750 may generate a recipient code 1751. In addition, the server 1750 may generate a sender code 1754. Additionally, the server 1750 may generate the distribution code 1756. Server key 1705, recipient code 1751, and sender code 1754 may be used to generate a distribution key 1756. In some embodiments, distribution key 1756 may be generated from any one or more of server key 1705, recipient code 1751, or sender code 1754, or any combination therein. Some information, for example, the recipient code 1752 and the distribution key 1756 may be stored in the database 1757 of the server 1750. The registration method 1700 may further include transmitting information from the server 1750 to at least one second peer 1775. In some embodiments, distribution key 1753 and distribution code 1756 are transmitted to at least one second peer 1775.

The registration method 1700 may further include storing one or more keys in a local database. As shown in FIG. 17, at least one second peer 1775 may receive information from the server 1750. In some embodiments, the information may include distribution key 1756 and distribution code 1756. The second peer may generate a deposit code 1776. Also, a distribution key 1756 and a storage code 1776 may be used to generate a deposit key 1777. In some embodiments, the archive key 1777 may be generated using only the distribution key 1756, the only archive code 1776, or any combination of the distribution key 1756 and the archive code 1776. Some information, for example, the distribution key 1753, the storage key 1777, and the distribution code 1756 may be stored in the memory 1758 of the second peer device 1775. The registration method 1700 may further include transmitting information from the second peer 1775 to the server 1750. In some embodiments, the archive key 1777 and distribution code 1756 are transmitted to the server 1750.

The registration method 1700 may include receiving information from the second peer 1775 and storing the information in a local database. In some embodiments, in some embodiments, server 1750 receives information from second peer 1775. The received information may include a storage key 1777, a distribution code 1756, and other information necessary for storage of the information by the server 1750 or identification of the second peer 1775.

Referring now to FIG. 18, the step of generating one or more keys 1800 may occur at the first peer 1801 according to some embodiments. The first peer 1801 may be any IoT device, that is, any device that can be connected to a network and can transmit data including, but not limited to, a cell phone, personal assistant, button, home security system, device, and the like. . The first peer 1801 may request registration from the server 1850. According to some embodiments, the server 1850 may transmit registration data to the first peer 1801. The registration data may be received by the transmitter/receiver 1841 of the first peer 1801 and may include any data required to generate one or more keys 1800 at the first peer 1801. In some embodiments, registration data may include a client registration code 1803. In another embodiment, the registration data may include additional data that may serve as a precursor to the client registration code 1803 and user input 1804. The client registration code 1803 may include one or more character strings of any length.

The user input 1804 may include user-generated data in any form including a discreet unit of information. In some embodiments, user input 1804 includes, for example, biometric data, such as fingerprints, irises, and the like. In these embodiments, the biometric data can be divided into discreet units of information including an identifier. The identifier may be converted to a unique selection code 1809. In other embodiments, user input 1804 may include any number of spatial and/or temporal data. Spatial and/or temporal data can be divided into discreet units of information including identifiers. The identifier may be converted to a unique selection code 1809. In yet another embodiment, user input 1804 may include a combination of biometric data and spatial and/or temporal data, each of which may be used to generate a unique selection code 1809.

In other embodiments, user input 1804 may include one or more selection objects. The one or more selection objects may be images, icons, tokens, buttons, or any other object that allows a user to select one or more selection objects from a group of selection objects. In some embodiments, the selection object may be received at the transmitter/receiver 1841 and the processing migrater 1842 may migrate the selection object to the visual display 1843. When selected by the user on the visual display 1843, the selection object may be converted to a selection code 1809, which may include any number of characters such as letters, numbers, and symbols. In certain embodiments, the selection object is an image that can be received from server 1850. Each image is assigned a unique selection code 1809, and user selection of a combination of selection objects generates a user input 1804 including a combination 1809 of selection codes unique to the selection of the selection object by the user. In some embodiments, any combination of biometric data, spatial and/or temporal data, and selection objects may include user input 1804.

According to some embodiments, a user may generate a user input 1804 including more than one selection code 1809, and the number of selection codes is equal to n. The data manipulator 1844 may be configured to separate the selection codes into two or more groups. In some embodiments, the data manipulator 1844 may be configured to separate the selection code 1809 into a first group 1810 and a second group 1811, where the first group 1810 is 1 to n The -1 selection code 1809 is included and the second group 1811 includes the 1 to n-1 selection code 1809. Each selection code 1809 of the first group 1810 and the second group 1811 is individually converted (1812) into one or more strings by the data converter 1845, and the converted selection code of the first group ( 1813) and the converted selection code 1815 of the second group may be generated. In some embodiments, transform 1812 may include using a hashing algorithm. In another embodiment, the transform 1812 may include using an encryption method. Another embodiment may include transform 1812 using a combination of hashing algorithms and encryption methods. The first group of transformed selection codes 1813 can be used to generate a client free key 1814. Individual transformed selection codes including the first group of transformed selection codes 1813 may be combined by data manipulator 1844 to form one or more strings including client-free keys 1814. In some embodiments, individual transformed selection codes are combined through concatenation of units. The association may include using each individual transformed selection code as one unit or may include using each individual transformed selection code as one unit. The client free key 1814 may be converted to a client key 1806 by the data converter 1845 (1812). In some embodiments, transform 1812 may include using a hashing algorithm. In another embodiment, the transform 1812 may include using an encryption method. Another embodiment may include transform 1812 using a combination of hashing algorithms and encryption methods. The client key 1812 may be stored in the memory 1808 of the first peer 1801 by the processing migrator 1842.

The second group of transformed selection codes 1815 can be used to generate server-free keys 1816. Individual converted selection codes including the second group of converted selection codes 1815 may be combined by data manipulator 1844 to form one or more character strings including server-free keys 1816. In some embodiments, individual transformed selection codes may be combined through association of units. The association may include using each individual transformed selection code as one unit or may include using each individual transformed selection code as one unit. The server-free key 1816 may be converted to a server key 1807 by the data converter 1845 (1812). In some embodiments, transform 1812 may include using a hashing algorithm. In another embodiment, the transform 1812 may include using an encryption method. Another embodiment may include transform 1812 using a combination of hashing algorithms and encryption methods.

According to some embodiments, a registration key 1807 may be generated. Each of the client key 1806 and the server key 1805 is processed by the data manipulator 1844 to create a client key first part 1815, a client key second part 1818, a server key first part 1818, and a server key. It can be divided into two parts 1820. In some embodiments, the client key 1806 may be divided into three or more parts. Likewise, the server key 1805 can be divided into three or more parts. The client key first part 1817 and the client key second part 1818 may include different portions of the character comprising the client key 1806. In certain embodiments, each of the client key first part 1817 and the client key second part 1818 may be half of the client key 1806. The server key first part 1819 and the server key second part 1820 may include different parts of the character including the server key 1805. In a particular embodiment, each of the server key first part 1819 and the server key second part 1820 may be half of the server key 1805. The client key first part (1817), the client key second part (1818), the server key first part (1819) and the server key second part (1820) contain one or more strings including a first free key (1821). Can be combined by data manipulator 1844 through association of units to form. The association by the data manipulator 1844 includes each of the client key first part 1817, the client key second part 1818, the server key first part 1819 and the server key second part 1820 as a unit. Using or using the pieces of the client key first part (1817), the client key second part (1818), the server key first part (1819), and the server key second part (1820) as one unit. It may include. Also, association may include using any combination of portions generated by the separation of the client key 1806 or the server key 1805. The first free key 1821 may be converted into one or more character strings including the second free key 1822 by the data converter 1845 (1812). In some embodiments, transform 1812 may include using a hashing algorithm. In another embodiment, the transform 1812 may include using an encryption method. Another embodiment may include transform 1812 using a combination of hashing algorithms and encryption methods. The second free key 1822 may be used to generate the registration free key 1823. According to some embodiments, the second free key 1822 and the client registration code 1803 may be associated by the data manipulator 1844 to form one or more character strings including the registration free key 1823. The association may include using each of the second free key 1822 and the client registration code 1803 as a unit or using the second free key 1822 and the client registration code 1803 as a unit. The registration free key 1823 may be converted into one or more strings including the registration key 1807 by the data converter 1845 (1812). In some embodiments, transform 1812 may include using a hashing algorithm. In another embodiment, the transform 1812 may include using an encryption method. Another embodiment may include transform 1812 using a combination of hashing algorithms and encryption methods.

The first peer 1801 may transmit information to the server 1850. According to some embodiments, the processing migrator 1842 of the first peer 1801 may migrate the registration key 1807 and the server key 1805 to the transmitter/receiver 1841 of the first peer 1801, This may transmit the registration key 1807 and the server key 1805 to the server 1850. In another embodiment, the transmitter/receiver 1841 of the first peer 1801 may transmit the registration key 1807, the server key 1805, and other information necessary for the registration method to the server 1850.

The registration method may further include distributing one or more keys 1900. As illustrated in FIG. 19, the transmitter/receiver 1941 of the server 1950 may receive information from the first peer 1901. According to some embodiments, the transmitter/receiver 1941 of the server 1950 may receive the registration key 1907 from the first peer 1901. The transmitter/receiver 1941 of the server 1950 may receive the server key 1905 from the first peer 1901. The transmitter/receiver 1941 of the server 1950 may receive both the registration key 1907 and the server key 1905 from the first peer 1901. The processing miter 1942 may migrate the registration key 1907 and the server key 1905 to the processor of the server 1950. The registration key 1907 may be stored in the database 1957 of the server 1950 by the processing miter 1942. The processing generator 1946 of the server 1950 may generate a peer list 1958. The peer list 1958 may include, for example, a list of a first peer 1901, a second peer 1975, and a peer device on a network. The peer list may also include recipient codes 1952 and distribution codes 1956, which may include one or more strings of any length. Further, the processing generator 1946 of the server 1950 may generate the sender code 1954, which may also contain one or more strings of any length.

According to some embodiments, the server 1950 may receive the registration key 1907 from the first peer 1901. Registration key 1907 can be used to generate any number of registration key sub-parts. The data manipulator may generate a registration key sub part from the registration key 1907. In these embodiments, registration key 1907 may include any number of characters, such as n. Each registration key sub-part may contain any number or combination of characters equal to n-1. The server 1950 may generate one or more random character strings. Each of the registration sub-parts may be associated with one or more random strings of characters by the data manipulator 1944. In some embodiments, the associated string may be transformed (1912). Each of the generated association strings or converted association strings may be transmitted to one or more second peers 1975. The server 1950 may receive the server key 1908 from the first peer 1901. The server key 1908 can be used to generate any number of server key sub-parts. The data manipulator may generate a server key sub part from the server key 1908. In these embodiments, server key 1908 may include any number of characters, such as n. Each server key sub-part may contain any number or letter combination, such as n-1. The server 1950 may generate one or more random character strings. Each of the server key sub-parts may be associated with one or more random strings by the data manipulator 1944. In some embodiments, the associated string may be converted (1912). Each generated associated string or converted associated string may be transmitted to one or more second peers 1975.

The data manipulator 1944 of the server 1950 combines any combination of a server key 1905, a recipient code 1952, a sender code 1954, a distribution code 1956, or a registration key 1907. By doing so, the distribution-free key 1959 can be generated. In some embodiments, the distribution-free key consists of a server key 1905, a sender code 1954 and a recipient code 1952, which can be combined through concatenation of units to form one or more strings. . For association, each of the server key (1905), sender code (1954) and recipient code (1952) is used as one unit, or server key (1905), sender code (1954) and recipient code (1952) are used as one unit It may include the step of. The distribution-free key 1959 may be converted into one or more character strings including the distribution key 1953 by the data converter 1945 (1912). In some embodiments, transform 1912 may include using a hashing algorithm. In another embodiment, transform 1912 may include using an encryption method. Another embodiment may include transform 1912 using a combination of hashing algorithm and encryption method. The distribution key 1953 may be stored in the database 1957 of the server 1950 by the processing migrator 1942. The server 1950 may be configured to transmit information to the second peer 1975. In some embodiments, processing migrater 1942 of server 1950 may migrate distribution key 1953 and distribution code 1956 to transmitter/receiver 1941 of server 1950. In another embodiment, the transmitter/receiver 1941 of the server 1950 may transmit the distribution key 1953, the distribution code 1956, and other information necessary for the registration method to the second peer 1975. In some embodiments, server 1950 may store any combination of registration key 1907, server key 1905, and distribution key 1953 in database 1957 of server 1950. The server 1950 may generate one or more distribution keys 1953 and transmit data to one or more second peers 1975. In some embodiments, peer list 1958 may include a list of one or more second peers 1975 on the network. The second peer may include any IoT device, server, or any device that is on the network and capable of sending and receiving data from the server 1950. The server 1950 may generate a unique distribution code 1956 for each second peer 1975. The server 1950 may generate a unique recipient code 1952 for each second peer 1975. In these embodiments, the distribution key 1953 generated for each second peer 1975 may be different from the distribution key 1953 generated for the other second peer 1975, but the first peer 1901 The basic server key 1905 received from) may be the same.

According to some embodiments, the registration key 1907 may be used to generate the distribution-free key 1959. In these embodiments, any combination of registration key 1907, sender code 1954, recipient code 1952 and server key 1905 may be used to generate the distribution-free key 1959.

Referring now back to FIG. 17, the registration method 1700 may include storing one or more keys in a local database. According to some embodiments, the second peer 1775 may be configured to receive and transmit information to the server 1750 through a transmitter/receiver of the second peer 1775. The second peer 1775 may receive the distribution key 1756 from the server 1750 through the transmitter/receiver of the second peer 1775. The second peer 1775 may receive the distribution code 1756 from the server 1750. In some embodiments, second peer 1775 may receive distribution key 1756 and distribution code 1756 from server 1750. The distribution key 1753 and the distribution code 1756 may be stored in the memory 1778 of the second peer 1775. The second peer 1775 may generate the storage code 1776. The storage code 1776 may be one or more strings of characters of any length and may be generated in a random manner. Alternatively, the storage code 1776 may be generated by the server 1750 and received by the second peer 1775. The storage code 1776 and the distribution key 1753 may be combined through association of units to form one or more character strings including the storage free key 1779. The association may include using each of the storage code 1776 and the distribution key 1753 as a unit, or may include using the storage code 1776 and the distribution key 1751 as units. The archive-free key 1791 may be converted into one or more character strings including the archive key 1777 (1712). In some embodiments, transform 1712 may include using a hashing algorithm. In another embodiment, the conversion 1712 may include using an encryption method. Another embodiment may include a transformation 1712 that uses a combination of a hashing algorithm and an encryption method. The storage key 1777 may be stored in the memory 1778 of the second peer 1775. In some embodiments, the second peer 1775 may send the archive key 1777 and the distribution code 1756 to the server 1750. In another embodiment, the second peer 1775 may send the storage key 1777, the distribution code 1756, and any other information required for the registration method 1700 to the server 1750.

The registration method 1700 may further include storing one or more keys on the server database. 19, the transmitter/receiver 1941 of the server 1950 may receive information from the second peer 1975. In some embodiments, transmitter/receiver 1941 of server 1950 may receive distribution code 1956. In some embodiments, the transmitter/receiver 1941 of the server 1950 may receive the storage key 1977. In another embodiment, the transmitter/receiver 1941 of the server 1950 may receive the distribution code 1956 and the storage key 1977. In another embodiment, the sender/receiver 1941 of the server 1950 may receive the distribution code 1956, the storage key 1977, and any other information necessary for the registration method. The distribution code 1956 and the storage key 1977 may be stored in the database 1957 of the server 1950 by the processing miter 1942.

In certain embodiments, the registration method 1700 includes generating one or more keys, distributing one or more keys, storing one or more keys in a local database, storing one or more keys in a server database. It may include. As shown in FIG. 17, the registration method 1700 may begin with a registration request 1702 from a first peer 1701. The registration request 1702 may be transmitted and received by one or more servers 1750. One or more servers may transmit the registration data 1751 to the first peer 1701. Referring now to FIG. 18, a specific embodiment may include a first peer 1801 that receives registration data from a server 1850.

The registration data may include a client registration code 1803 and one or more selection objects. The client registration code 1803 may include one 8-digit character string. The selection object may contain multiple images. In certain embodiments, the selection object may include multiple selection objects equal to 60. Each selection object may include a unique selection code 1809. The selection code 1809 may include one or more character strings, and in certain embodiments, each selection code may include 5 character strings. The user may select a plurality of selection objects from the selection objects received by the server 1850. In a particular embodiment, the user can select six selection objects. The user's selection of a selection object may generate a user input 1804 including a selection code collection 1809 that can be selected by selecting a specific selection object associated with each selection code 1809. In a particular embodiment, user input 1804 includes a 6, 5 character selection code 1809.

The user input 1804 may be divided into a first group 1810 and a second group 1811. In a particular embodiment, each of the first group 1810 and the second group 1811 includes three different selection codes 1809. Each selection code 1809 including the first group 1810 and the second group 1811 may be converted into one or more character strings (1812). In certain embodiments, each selection code 1809 may be transformed using a hashing algorithm, and may each include a first group of transformed selection codes 1813 and a second group of transformed selection codes 1815. I can. Each of the first group 1813 of converted selection codes and the second group 1815 of converted selection codes may be combined to generate a client-free key 1814 and a server-free key 1816, respectively. In a particular embodiment, the three transformed selection codes including the first group of transformed selection codes 1813 may be associated to generate one or more strings including the client free key 1814. Similarly, the three transformed selection codes including the second group of transformed selection codes 1815 may be associated to generate one or more strings including the server-free key 1816. The client-free key 1814 and the server-free key 1816 may be converted into a client key 1806 and a server key 1805, respectively (1812). In a particular embodiment, transform 1812 includes using a hashing algorithm.

The registration key 1807 may be generated using a combination of the client key 1806, the server key 1805, and the client registration code 1803. In certain embodiments, the client key 1806 and the server key 1805 are separated into a first part 1817 and 1819 and a second part 1818 and 1820, respectively. The first free key 1821 may be generated by combining a portion of the client key 1806 and a portion of the server key 1805 by association to form one or more character strings. The first free key 1821 may be converted into one or more character strings including the second free key 1822 (1812). In a particular embodiment, transform 1812 includes using a hashing algorithm. The registration free key 1823 may be generated by forming one or more character strings by combining the client registration code 1803 and the second free key 1822 to form one or more character strings by association. The registration-free key 1823 can be converted 1812 to a registration key 1807, where the conversion 1812 includes using a hashing algorithm. In certain embodiments, the client key 1806 and the client registration code 1803 may be stored in the memory 1808 of the first peer 1801. Further, the server key 1805 and the registration key 1807 may be transmitted to one or more servers 1850.

The registration method may include distributing one or more keys. In the specific embodiment shown in FIG. 19, the server 1950 may receive a registration key 1907 and a server key 1905 from the first peer 1901. The registration key may be stored in the database 1957 of the server 1950. The server 1950 may create a peer list 1958 that may include a list of second peers 1975 on the network. For each of the second peers 1975, the server 1950 may generate a recipient code 1952 and a distribution code 1956. In certain embodiments, recipient code 1952 and distribution code 1956 may be unique for both a particular second peer 1975 and a particular transaction.

In addition, the server 1950 may generate a sender code 1954 unique to a specific server 1950. In certain embodiments, the recipient code 1952, the sender code 1954, and the server key 1905 may be combined via association to create one or more strings including the connection-free key 1959. The distribution-free key 1959 may be converted into a distribution key 1953 (1912). In certain embodiments, transform 1912 may include using a hashing algorithm. In some embodiments, multiple unique distribution keys 1953 may be generated, each containing a different recipient code 1952 and having a different associated distribution code 1956 from the peer list 1958, each unique. One distribution key 1953 may ultimately be transmitted to another second peer 1975. In a particular embodiment, multiple unique distribution keys 1953 are generated from the same server key 1905 and each unique distribution key 1953 is transmitted to a separate second peer 1975 on the network.

The registration method may further include storing one or more keys shown in FIG. 17 in a local database. In a particular embodiment, the second peer 1775 may receive the distribution key 1756 and distribution code 1756 from the server 1750. In this embodiment, the second peer 1775 is for receiving a distribution key 1756 and distribution key 1756 arising from the same transaction between the first peer 1701 and the server 1750 discussed above in the network. It may be one of several second peers 1775 in the network. The second peer 1775 may store the distribution key 1756 and the distribution code 1756 in the memory 1778 of the second peer 1775. Also, the second peer 1775 may generate the storage code 1776. In a particular embodiment, the archive code 1776 comprises a single string of 8 characters. Archive code 1776 and distribution key 1753 may be combined via association to create one or more strings that include archive free key 1779. The archive-free key 1779 may be converted to the archive key 1777 (1712). In a particular embodiment, transform 1712 includes using a hashing algorithm. The second peer 1775 may transmit information to one or more servers 1750. In certain embodiments, some of the second peers 1775 may transmit information to the server 1750. The information may include the distribution code 1756, the storage key 1777, and any other information required to perform the registration process 1700.

The registration method 1700 may include storing one or more keys in a server database. In some embodiments, server 1750 may be configured to receive information from one or more second peers 1775. In certain embodiments, server 1750 may receive information from multiple second peers 1775 including distribution code 1756 and storage key 1777. The server 1750 may store the distribution code 1756 and the storage key 1977 in the database 1757. Referring now to FIG. 19, distribution code 1956 and archive key 1777 may be stored in a peer list 1958 stored in database 1957. In certain embodiments, the distribution code 1956 and the archive key 1977 are stored distribution keys that may be unique to transactions performed between the first peer 1901, the server 1950, and the specific second peer 1975. 1953) and recipient code 1952.

The authentication method may include the login method shown in FIG. 20. The login method 2000 may include generating one or more login keys, distributing one or more verification keys, verifying a verification key in a local database, and verifying a verification process. Further, the login method 2000 may include communication between one or more first peers 2001, one or more servers 2050, and one or more second peers 2075.

The login method 2000 may include a first peer 2001 and the first peer may be configured to interact with a user. The first peer 2001 may request a login 2002 and the login request 2002 may be sent to one or more servers 2050. The server 2050 may receive a login request 2002 and generate login data 2051. In some embodiments, login data 2051 may include login salts 2024. The login salt may consist of one or more characters including letters, numbers, symbols, or any combination thereof. In some embodiments, login data 2051 may include a user selection object. In other embodiments, login data 2051 may include one or more login salts 2024 and user selection objects, and any other data required for login method 2000.

Generating one or more login keys may further include generating a server key 2005 and a client key 2006 from user input 2004. In some embodiments, server key 2005 and client key 2006 may be used to generate login key 2099. In another embodiment, the server key 2005, the client key 2006 and at least the login salt 2024 may be used to generate the login key 2099. Other embodiments may include different combinations of client key 2006, server key 2005, and login salt 2024 used to generate login key 2099. Some information, for example, the login salt 2024 and the client key 2006 may be stored in the memory 2008 of the first peer 2001. Further, generating one or more login keys may include transmitting information from the first peer 2001 to the server 2050. In some embodiments, login key 2099 and server key 2005 are transmitted to server 2050.

Further, as shown in FIG. 20, distributing one or more verification keys may include receiving information from the first peer 2001 in the server 2050. In some embodiments, the information received at the server 2050 may include a login key 2099 and a server key 2005. The server 2050 may generate a recipient code 2052. In addition, the server 2050 may generate a sender code 2054. In addition, the server 2050 may generate a distribution code 2056. Server key 2005, recipient code 2052 and sender code 2054 can be used to generate verification key 2062. In some embodiments, the verification key 2062 may be generated from one or more server keys 2005, recipient code 2052, verification salt 2024 or sender code 2054, or any combination thereof. I can. In some information, for example, in the database 2057 of the server 2050, the recipient code 2052, which is a verification key 2062, may be stored. In some embodiments, the verification key 2062 may not be stored in the database 2057 of the server 2050. Distributing the one or more verification keys may further include transmitting information from the server 2050 to the at least one second peer 2075. In some embodiments, verification key 2062 and distribution code 2056 are transmitted to at least one second peer 2075.

The login method 2000 may further include verifying one or more verification keys in a local database. As shown in FIG. 20, at least one second peer 2075 may receive information from the server 2050. In some embodiments, the information may include verification key 2062 and distribution code 2056. In another embodiment, the information may include verification key 2062, distribution code 2056, and verification salt 2063. The second peer 2075 can find and verify that the corresponding distribution key can be stored in the memory 2078 of the second peer 2075 using any combination of the distribution code 2056 and the verification key 2062. have. The stored distribution key can be used to generate the confirmation key 2081. In some embodiments, stored distribution key 2053 and verification salt 2063 received from server 2050 may be used to generate verification key 2081. Second peer 2075 may send information to server 2050, which includes any combination of confirmation key 2081, distribution code 2056, and any other information that may be required for login method 2000. can do.

Verifying the verification process may include receiving information from the second peer 2075 and comparing the received information with information stored in the database 2057 of the server 2050. In some embodiments, server 2050 receives information from second peer 2075. The received information may include a confirmation key 2081, a result, a distribution code 2056, and other information necessary for storage or comparison of information by the server 2050 or identification of the second peer 2075.

As shown in FIG. 21, generating one or more login keys 2100 may occur at the first peer 2101 according to some embodiments. The first peer 2101 may be any IoT device, i.e., any device capable of connecting to a network and transmitting data including, but not limited to, a cell phone, personal assistant, button, home security system, device, and the like. The first peer 2101 may request a login from the server 2150. According to some embodiments, the transmitter/receiver of the server 2150 may transmit login data to the first peer 2101. The login data may be received by the transmitter/receiver 2141 of the first peer 2101 and may include any data required to initiate a login method at the first peer 2101. In some embodiments, the login data may include a login salt 2124. In other embodiments, the login data may include additional data that may serve as a precursor of the login salt 2124 and user input 2104. The login salt 2124 may contain one or more strings of any length.

Also, as shown in FIG. 21, the user input 2104 may include any form of user-generated data including a discreet unit of information. In some embodiments, user input 2104 includes biometric data, such as fingerprints, irises, and the like. In these embodiments, the biometric data can be divided into discreet units of information including an identifier. The identifier may be converted to a unique selection code 2109.

In other embodiments, user input 2104 may include one or more selection objects. The one or more selection objects may be images, icons, tokens, buttons, or any other object that allows a user to select one or more selection objects from a group of selection objects. The selection object can be displayed on the visual display 2143 of the first peer 2101, and can be converted to a selection code 2109 that can include any number of characters, for example letters, numbers, and symbols. have. In certain embodiments, the selection object is an image that can be received from server 2150. Each image is assigned a unique selection code 2109, and user selection of a combination of selection objects generates a user input 2104 including a combination of selection codes 2109 unique to the selection of the selection object by the user.

According to some embodiments, a user may generate a user input 2104 including more than one selection code 2109, and the number of selection codes is equal to n. The selection code 2109 may be divided into a first group 2110 and a second group 2111 by the data manipulator 2144. The first group 2110 includes a selection code 2109 between 1 and n-1 and the second group 2111 includes a selection code 2109 between 1 and n-1. Each selection code 2109 in the first group 2110 and the second group 2111 may be individually converted into one or more strings by the data converter 2145 (2112), and the converted Resulting in selection codes 2113 and a second group of transformed selection codes 2115. In some embodiments, transform 2112 may include using a hashing algorithm. In another embodiment, the transformation 2112 may include using an encryption method. Another embodiment may include transform 2112 using a combination of hashing algorithm and encryption method. The first group of converted selection codes 2113 may be used to generate a client free key 2114. Individual converted selection codes including the converted selection codes 2113 of the first group may be combined by the data manipulator 2144 to form one or more character strings including the client-free key 2114. In some embodiments, individual transformed selection codes may be combined through association of units. The association may include using each individual transformed selection code as one unit or may include using each individual transformed selection code as one unit. The client-free key 2114 may be converted to a client key 2106 by the data converter 2145 (2112). In some embodiments, transform 2112 may include using a hashing algorithm. In another embodiment, the transformation 2112 may include a method using an encryption method. Another embodiment may include transform 2112 using a combination of hashing algorithm and encryption method. The client key 2106 may be stored in the memory unit 2108 of the first peer 2101 by the processing miter 2147. The client key 2106 generated by the login method may be compared to the client key 2106 stored in the memory 2108 of the first peer 2101 during the registration process for the identity by the processing miter 2147.

The second group of transformed selection codes 2115 can be used to generate server-free keys 2116. Individual converted selection codes including the second group of converted selection codes 2115 may be combined by data manipulator 2144 to form one or more character strings including server-free keys 2116. In some embodiments, individual transformed selection codes may be combined through association of units. The association may include using each individual transformed selection code as one unit or may include using each individual transformed selection code as one unit. The server-free key 2116 may be converted into a server key 2105 by the data converter 2145 (2112). In some embodiments, transform 2112 may include using a hashing algorithm. In another embodiment, the transformation 2112 may include using an encryption method. Another embodiment may include transform 2112 using a combination of hashing algorithm and encryption method.

According to some embodiments, a login key 2199 may be generated. Each of the client key 2106 and the server key 2105 is processed by the data manipulator 2144 to generate the client key first part 2117, the client key second part 2118, the server key first part 2119 and the server key. It can be divided into two parts 2120. The client key first part 2117 and the client key second part 2118 may comprise different portions of a character comprising the client key 2106. In certain embodiments, each of the client key first part 2117 and the client key second part 2118 may be half of the client key 2106. The server key first part 2119 and the server key second part 2120 may include different portions of a character comprising the server key 2105. In certain embodiments, each of the server key first part 2119 and the server key second part 2120 may be half of the server key 2105. The client key first part 2117, the client key second part 2118, the server key first part 2119, and the server key second part 2120 contain one or more strings including a first free key 2121. Can be combined by data manipulator 2144 through association of units to form. The association uses the client key first part 2117, the client key second part 2118, the server key first part 2119, and the server key second part 2120 as a unit, respectively, or the client key first part 2120. It may include using the part 2117, the client key second part 2118, the server key first part 2119, and the server key second part 2120 as one unit.

The first free key 2121 may be converted into one or more character strings including the second free key 2122 by the data converter 2145 (2112). In some embodiments, transform 2112 may include using a hashing algorithm. In another embodiment, the transformation 2112 may include using an encryption method. Another embodiment may include transform 2112 using a combination of hashing algorithm and encryption method. The second free key 2122 may be used to generate the registration free key 2123. According to some embodiments, the second free key 2122 and the client registration code 2103 may be associated by the data manipulator 2144 to form one or more character strings including the registration free key 2123. The association may include using each of the second free key 2122 and the client registration code 2103 as one unit, or the second free key 2122 and the client registration code 2103 as one unit. It may include the step of using. The client registration code 2103 may be stored in the memory 2108 of the first peer 2101 by the processing migrator 2142 during the registration process. The registration free key 2123 may be converted into one or more character strings including the registration key 2107 by the data converter 2144 (2112). In some embodiments, transform 2112 may include using a hashing algorithm. In another embodiment, the transformation 2112 may include using an encryption method. Another embodiment may include transform 2112 using a combination of hashing algorithm and encryption method. In some embodiments, the registration key 2107 may be the same as the registration key 1707 generated by the first peer 1701 during the registration method 1700 shown in FIG. 17. Referring again to FIG. 21, the registration key 2107 may be used to generate the login key 2199. In some embodiments, registration key 2107 and login salt 2124 are used to generate login key 2199. The registration key 2107 and the login salt 2024 may be associated by the data manipulator 2144 to form one or more character strings including the login free key 2198. The association may include using the registration key 2107 and the login salt 2024 as a unit, or using the registration key 2107 and the login salt 2024 as a unit, respectively. The login-free key 2198 may be used to generate the login key 2199. In some embodiments, the login-free key 2198 may be converted to a login key 2199 by the data converter 2145 (2112). In some embodiments, transform 2112 may include using a hashing algorithm. In another embodiment, the transformation 2112 may include using an encryption method. Another embodiment may include transform 2112 using a combination of hashing algorithm and encryption method.

The first peer 2101 may transmit information to the server 2150. According to some embodiments, the transmitter/receiver 2141 of the first peer 2101 may transmit the login key 2199 and the server key 2105 to the server 2150. In another embodiment, the transmitter/receiver 2141 of the first peer 2101 may transmit the login key 2199, the server key 2105, and other information necessary for the login method to the server 2150.

The login method may further include distributing one or more verification keys. As illustrated in FIG. 22, the server 2250 may receive information from the first peer 2201. According to some embodiments, the transmitter/receiver 2241 of the server 2250 may receive a login key 2299 from the first peer 2201. The transmitter/receiver 2241 of the server 2250 may receive the server key 2205 from the first peer 2201. The transmitter/receiver 2241 of the server 2250 may receive both the login key 2299 and the server key 2205 from the first peer 2201. In some embodiments, the server 2250 may generate a comparison login key 2260. The comparison login key 2260 may be generated using the registration key 2207 stored in the database 2259 of the server 2250 during the registration method.

The processing migrator 2242 of the server 2250 may migrate the registration key 2207 and login salt 2224 from the database 2257. Data manipulator 2244 of server 2250 may combine registration key 2207 and login salt 2224 by association to generate a comparison login pre-key. The comparison login free key may be converted into a comparison login key 2260 by the data converter 2245 (2212). In some embodiments, transform 2212 may include using a hashing algorithm. In another embodiment, transform 2212 may include using an encryption method. Yet another embodiment may include transform 2212 using a combination of hashing algorithms and encryption methods. The processing verifier 2247 of the server 2250 may compare the comparison login key 2260 with the login key 2299 sent by the first peer 2201 to determine whether the first peer 2201 can communicate. have.

The login key 2299 may be stored in the database 2257 of the server 2250 by the processing migrater 2242. The server may use data migrator 2422 to access pre-stored peer list 2258. The stored peer list 2258 may include, for example, a list of peer devices of the first peer 2201 and the second peer 2275 on the network. The peer list may also include recipient codes 2252 and distribution codes 2256, which may include one or more character strings of any length. Additionally, processing generator 2246 of server 2250 may generate sender code 2254, which may also contain one or more strings of any length.

The data manipulator 2244 of the server 2250 is a distribution-free key by combining any combination of a server key 2205, a recipient code 2252, a sender code 2254, a distribution code 2256, or a login key 2299. (2259) can be created. In some embodiments, distribution-free key 2259 consists of server key 2205, sender code 2254 and recipient code 2252, which may be combined through association of units to form one or more character strings. . Association is a step of using a server key (2205), sender code (2254) and receiver code (2252) as a unit, or server key (2205), sender code (2254) and receiver code (2252) as a unit It may include. The distribution-free key 2259 may be converted by the data converter 2245 into one or more strings containing the distribution key 2253 (2212). In some embodiments, transform 2212 may include using a hashing algorithm. In another embodiment, transform 2212 may include using an encryption method. Yet another embodiment may include transform 2212 using a combination of hashing algorithms and encryption methods. The distribution key 2253 may be stored in the database 2257 of the server 2250. The verification free key 2261 may be generated by the data manipulator 2244 of the server 2250. In some embodiments, distribution key 2253 and verification salt 2263 generated by processing generator 2246 of server 2250 and containing any number of characters are associated to generate verification free key 2261 Can be. The verification free key 2261 may be converted into a verification key 2262 by the data converter 2245 (2212). In some embodiments, transform 2212 may include using a hashing algorithm. In another embodiment, transform 2212 may include using an encryption method. Yet another embodiment may include transform 2212 using a combination of hashing algorithms and encryption methods.

Server 2250 may be configured to transmit information to second peer 2275. In some embodiments, the transmitter/receiver 2241 of the server 2250 may transmit the verification key 2622 and the distribution code 2256 to the second peer 2275. In another embodiment, the sender/receiver 2241 of the server 2250 transmits the verification key 2262, the distribution code 2256, the verification salt 2631, and other information required for the login method 2000 to the second peer 2275. ). In some embodiments, server 2250 may send any combination of distribution key 2253, verification salt 2263, and distribution code 2256 to second peer 2275.

The server 2250 may generate one or more verification keys 2622 and transmit data to one or more second peers 2275. In some embodiments, peer list 2258 may include a list of one or more second peers 2275 on the network. The second peer can include any IoT device, server, or any device that is on the network and capable of sending and receiving data from server 2250. The server 2250 may generate a unique distribution code 2256 for each second peer 2275. The server 2250 may generate a unique recipient code 2522 for each second peer 2275. In these embodiments, the verification key 2262 generated for each second peer 2275 may be different from the verification key 2622 generated for the other second peer 2275, but the first peer 2202 The default server key 2205 received from) may be the same. The verification key 2262 may or may not be stored in the database 2258 of the server 2250.

Referring now to FIG. 23, the login method may include checking one or more login keys in a local database. According to some embodiments, the second peer 2375 may be configured to receive information and transmit it to the server 2350. The transmitter/receiver 2341 of the second peer 2375 may receive the verification key 2362 from the server 2350. The transmitter/receiver 2321 of the second peer 2375 may receive the distribution code 2356 from the server 2350. In some embodiments, the transmitter/receiver 2341 of the second peer 2375 may receive the verification key 2362, the distribution code 2356, and the verification salt 2363 from the server 2350. Distribution code 2356 may be compared by processing verifier 2347 across all distribution codes 2356 stored in memory 2378 of second peer 2375. If the distribution code 2356 received from the server 2350 is the same as the distribution code 2356 stored in the memory 2378 of the second peer 2375, the processing generator 2346 of the second peer 2375 is positive. Results 2382 can be generated. If the distribution code 2356 received by the second peer 2375 is not the same as the distribution code 2356 stored in the memory 2378 of the second peer 2375, the processing generator of the second peer 2375 ( 2346) may produce a negative result 2382. In some embodiments, the verification key 2362 is also used to find the same distribution code 2356. If the second peer 2375 determines that at least one distribution code 2356 stored in the memory 2378 of the second peer 2375 is the same as the distribution code 2356 received from the server 2350, the second peer ( The processing migrator 2334 of 2375 may remove the distribution key 2353 associated with the matching distribution code 2356 from the memory 2378. The distribution key 2353 removed from the memory 2378 and the verification salt 2363 of the second peer 2375 can be used to generate the verification free key 2380 by connection by the data manipulator 2344. The confirmation free key 2380 may be converted into a confirmation key 2381 by the data converter 2345 (2312). In some embodiments, transform 2312 may include using a hashing algorithm. In another embodiment, the transform 2312 may include using an encryption method. Another embodiment may include transform 2312 using a combination of hashing algorithm and encryption method. In some embodiments, the second peer 2375 may receive the distribution key and verification salt 2363 from the server 2350. The second peer 2375 may generate the verification key 2362 at the second peer 2375 by associating the distribution key and the verification salt 2363 in order to generate the verification free key. The verification free key may be converted into a verification key 2362 (2312).

In some embodiments, the second peer 2375 may generate the comparison verification key 2383. The second peer 2375 may generate the comparison verification key 2383 by associating the stored distribution key 2353 with the verification salt 2363 received from the server 2350 to generate a comparison verification free key. The comparison verification free key may be converted into a comparison verification key (2312). In some embodiments, the comparison verification key 2383 may be compared to the verification key 2362 received by the processing verifier 2347 and a result 2382 may be generated. In some embodiments, the result 2382 is a result generated by comparing the verification key 2362 with the comparison verification key 2383 and the result generated by comparing the received distribution code 2356 with the stored distribution code 2356. Can include. The confirmation key 2381 may be generated from the confirmation salt 2363 and the storage key 2377 retrieved from the memory 2378 of the second peer 2375. Archive key 2377 and verification salt 2363 may be associated by data manipulator 2344 to generate confirmation free key 2380. The confirmation free key 2380 may be converted to a confirmation key 2381 at 2312. Any combination of confirmation key 2381, distribution code 2356, and result 2382 may be transmitted from second peer 2375 to server 2350.

The second peer 2375 may be configured to transmit data to the server 2350. In some embodiments, the transmitter/receiver 2341 of the second peer 2375 may send any combination of result 2382, distribution code 2356, and confirmation key 2381 to server 2350. In some embodiments, the second peer 2375 may be configured to delete all data related to the transaction. In a particular embodiment, the second peer 2375 is a distribution code 2356, archive key 2377, distribution key 2353 from memory 2378 of second peer 2375 or processor of second peer 2375. , Verification key 2362, verification salt 2326, verification free key 2380, and verification key 2381 may be deleted. In some embodiments, deletion of data may occur concurrently with transmitting data to server 2350. In another embodiment, deletion of data may occur after transmitting the data to the server 2350.

Referring now to FIG. 24, the login method may further include verifying the verification process 2400. Server 2450 may be configured to receive data from one or more second peers 2475. In some embodiments, the sender/receiver 2441 of server 2450 may receive any combination of confirmation key 2461, result 2482, and distribution code 2456. The server 2450 may acknowledge and respond to the result 2482 received from the second peer 2475. If the result is positive, the processing verifier 2447 of the server 2450 transfers the distribution code 2456 received from the second peer 2475 to all or some distribution codes stored in the database 2457 of the server 2450 ( 2456). If the distribution code 2456 stored in the database 2457 of the server 2450 is the same as the distribution code 2456 received from the second peer 2475, the processing migrator 2402 of the server 2450 is the distribution code ( Any combination of verification salt 2463 and distribution key 2453 that may be associated with 2456 and stored in database 2457 of server 2450 may be retrieved. In some embodiments, the retrieved distribution key 2453 may be the distribution key 2453 stored during the registration process. The retrieved verification salt 2463 and the retrieved distribution key 2453 may be used by the data manipulator 2444 to generate the verification free key 2461 through association of the verification salt 2463 and the distribution key 2453. The verification free key 2461 may be converted into a verification key 2442 by the data converter 2445 (2412 ). In some embodiments, transform 2412 may include using a hashing algorithm. In another embodiment, the transform 2412 may include using an encryption method. Another embodiment may include transform 2412 using a combination of hashing algorithm and encryption method.

The processing verifier 2447 of the server 2450 may compare the generated verification key 2442 with the verification key 2461 received from the second peer 2475, and the processing generator 2246 generates an authentication result 2464. can do. If the verification key 2442 is the same as the verification key 2461 received from the second peer 2475, the result may be positive, for example, as an authentication success. If the confirmation key 2442 is not the same as the confirmation key 2461 received from the second peer 2475, the authentication result 2464 may be negative of authentication failure or risk, for example. The processing migrator 2402 of the server 2450 may store the authentication result 2464 in the database 2457. In some embodiments, the authentication result 2464 is stored with an associated distribution key 2453 generated during the registration method.

The server 2450 may transmit a new distribution key 2453 to one or more second peers 2475. Referring now to FIG. 19, the server 1950 may create a new peer list 1958 in the database 1957 of the server 1950. In some embodiments, in a method that may be the same as distributing one or more distribution keys 1900, server 1950 may allocate any combination of a new recipient code 1952 and a new distribution code 1956, and , To generate a new distribution key 1953, a combination of a new recipient code 1952 and a new distribution code 1956 may be used. The server 1950 may transmit the newly generated distribution key 1953 to a second peer 1975 that may be different from the second peer 1975 that previously stored the distribution key 1953.

The web authentication method may include generating a barcode, generating one or more keys, and establishing a web session. In addition, the web authentication system may include communication between one or more first devices, second devices, first servers, second servers, and Internet applications. One or more of the first device, the second device, the first server and the second server may include at least a processor and a transmitter/receiver. The one or more first devices and the one or more second devices may further include respective memories. In some embodiments, each of the one or more first devices and the one or more second devices may include a visual display. Each of the at least one first device and at least one second device may comprise means for scanning a barcode. The one or more first and second servers may further include a database.

The transmitter of the first device, the second device, the first server and the second server may be configured to transmit and receive information from an exogenous source. In some embodiments, the first device may be configured to transmit and receive information from any combination of the second device, the first server, and the second server. The first server and the second server may be configured to transmit and receive information from both the first device and the second device, and the second device may be configured to transmit and receive information from the first server, the first device and the second server. I can. The memory of the first device and the second device and the database of the server may be configured to store information and retrieve information. The visual display includes means for the user to interact with the display, for example data entry, text selection, object selection, and the like. The Internet application may be configured to transmit or receive information from any combination of a first server, a second server, a first device and a second device.

The processors of the first device, the second device, the first server and the second server may include a processing miter, a data manipulator, a data converter, a processing generator and a processing verifier. The processing migrater may be configured to migrate data from the first device, the second device, or one component in the first or second server to the first device, the second device, or another component in the first or second server. By way of example and not limitation, the processing miter may be configured to move data from a memory of a first device to a processor of a first device, or from a processor of a second device to a transmitter/receiver of a second device. . The data manipulator can be configured to manipulate data, such as joining, splitting, splitting and recombining, reordering, etc. By way of example and not limitation, the data manipulator of the first device may be configured to separate one or more strings into a first part and a second part, or to generate one or more strings, the data manipulator of the server May be configured to couple with the second part.

The data converter may be configured to convert a first character string to a second character string, where the first character string and the second character string may be different in any one or more of length, configuration, or arrangement. In some embodiments, the data converter may be configured to apply a hashing algorithm to the first string. In another embodiment, the data converter may be configured to apply an encryption protocol to the first string. In another embodiment, the data converter may be configured to apply a decryption protocol to the first string. Still in other embodiments, the data converter may be configured to apply a hashing algorithm, encryption protocol, decryption protocol, or any other known data conversion method to the first string to generate the second string.

The processing generator can be configured to generate data. In some embodiments, the data may include one or more character strings of any length and may include barcodes and the like. In some embodiments, the data may be generated in a random manner or in an indicated manner. The processing verifier can be configured to compare two or more data and determine if these data are the same or different. In some embodiments, the processing verifier and processing generator may be paired to determine if the first string and the second string are the same and generate a response based on the identity of the first and second strings.

The web authentication method may include generating the barcode shown in FIG. 25. Generating the barcode 2500 may be initiated in an internet application 2590. In some embodiments, the user may generate the barcode 2500 as a login request in the internet application 2590. The first consensus protocol pair 2646 may be generated by the processing generator 2646. In some embodiments, a first agreement protocol pair 2646 may be generated by processing generator 2646 in internet application 2590. The first key agreement protocol pair 2526 may include any key agreement protocol pair readily known to those skilled in the art. In some embodiments, the first key agreement protocol pair 2526 may comprise an Elliptic-curve Diffie-Hellman (ECDH) pair. According to some embodiments, the internet application 2590 may be configured to transmit information to the first server 2525. The processing migrator 2642 may transmit information to the transmitter/receiver 2541 of the Internet application 2590. Internet application 2590 transmits any combination of first public key 2503, first private key 2504 and any other information needed to generate barcode 2505. I can.

In some embodiments, the first server 2525 may be configured to receive information from the internet application 2590. The sender/receiver 2541 of the first server 2525 contains the first public key 2503, the first private key 2504, and any other necessary information to generate the barcode 2500 from the internet application 2590. Any combination can be received. The first server 2525 may generate a random key 2527 and the random key 2527 may be generated by the processing generator 2646 of the first server 2525. The random key 2527 may include one or more character strings of any length and characters may include letters, numbers, and symbols. In some embodiments, barcode 2505 may be generated. The processing generator 2546 can generate the barcode 2505 using a barcode precursor. Barcode 2505 may include any linear barcode, two-dimensional barcode, or any type of readable indicia readily known to those skilled in the art, but may include any type of barcode 2505. In some embodiments, barcode 2505 may comprise a QR code. Barcode 2505 may be generated from any combination of first public key 2503, first private key 2504, random key 2527, and any other information required to generate barcode 2500. In certain embodiments, the barcode 2505 may be generated by the data manipulator 2544 of the first server 2525 and may be based on the first public key 2503 and the random key 2527. The first server 2525 may be configured to transmit information to the Internet application 2590. In some embodiments, the transmitter/receiver 2541 of the first server 2525 may transmit information to the Internet application 2590. In a specific embodiment, the first server 2525 may transmit the barcode 2505 to the Internet application 2590. Internet application 2590 may receive barcode 2505 at transmitter/receiver 2551 and may display barcode 2505 on visual display 2590 of Internet application 2590.

The web authentication method may include generating one or more keys shown in FIGS. 26, 27 and 28. Referring now to FIG. 26, generating one or more keys 2600 may include a first device 2650 scanning barcodes 2605. The data manipulator 2644 of the first device 2650 receives the random key 2627, the first public key 2603 or the random key 2627 and the first public key 2603 from the information contained in the barcode 2605. Can be generated. Data manipulator 2644 may estimate any information contained within barcode 2605 to generate one or more keys 2600. Also, the processing generator 2646 of the first device 2650 may generate a second key agreement protocol pair 2651. The second key agreement protocol pair 2651 may include any key agreement protocol pair readily known to those skilled in the art. In some embodiments, the second key agreement protocol pair 2651 may comprise an Elliptic-curve Diffie-Hellman (ECDH) pair. In some embodiments, the second key agreement protocol pair 2651 may include a second private key 2652 and a second public key 2603. The second private key 2652 and first public key 2603 extrapolated from the barcode 2605 may be combined by the data manipulator 2644 to generate the secret key 2654. The processing generator 2646 of the first device 2650 may generate any combination of a salt 2655, an initializing vector 2656, and an iteration number 2657. In a particular embodiment, the processing generator 2646 of the first device 2650 may generate a salt 2655, an initial vector 2656, and an iteration number 2657, respectively. Salt 2655, initial vector 2656, and repeat number 2657 may each contain one or more character strings of any length and the characters may contain any combination of letters, numbers, or symbols. The initial vector 2656 may include the same number of characters as n, and may additionally include an IV first part 2658 and an IV second part 2765. . The IV first part 2658 and the IV second part 2659 may each include a plurality of characters between 1 and n-1. The repetition number 2657 may include the same number of characters as n, and may additionally include an IN first part 2660 and an IN second part 2661. The IN first part 2660 and the IN second part 2661 may each include a plurality of characters between 1 and n-1. The data manipulator 2644 may generate an IV first part 2658 and an IV second part 2659 from the initial vector 2656. The data manipulator 2644 may generate the IN first part 2660 and the IN second part 2661 from the repetition number 2657. According to some embodiments, secret key 2654, salt 2655, IV first part 2658 and IN first part 2660 are masked secret key 2662, masked by data converter 2645 The salt 2663, the masked IV first part 2664, and the masked first part 2665 may be converted (2612). In some embodiments, the initial vector 2656 may be transformed 2612 into a masked IV first part 2664 by the data converter 2645. Likewise, the repetition number 2657 may be converted to the first part 2665 masked by the data converter 2645 (2612). In some embodiments, transform 2612 may include using a hashing algorithm. In another embodiment, transform 2612 may include using an encryption method. Another embodiment may include a transform 2612 that uses a combination of hashing algorithms and encryption methods. In some embodiments, the repetition number 2657 may be kept as it is without generating the IN first part 2660 and the IN second part 2661, and the resulting IN first part 2660 may not be converted. There is (2612).

The processing generator 2646 of the first device 2650 may generate a client key 2666. The client key 2666 may contain one or more character strings of any length and the characters may contain any combination of letters, numbers, or symbols. According to some embodiments, the client key 2666 may be converted to the first masked client key 2667 by the data converter 2645 (2612). In another embodiment, the client key 2667 may be converted to a second masked client key 2668 by the data converter 2645 (2612). In another embodiment, the client key 2666 may be converted by the data converter 2645 into a first masked client key 2667 and a second masked client key 2668 respectively (2612). Transform 2612 may include using a hashing algorithm. Further, the conversion 2612 may include using an encryption method. In some embodiments, transform 2612 may include a combination of a hashing algorithm and an encryption method. The first device 2650 may be configured to transmit information to the first server 2625. In some embodiments, the transmitter/receiver 2631 of the first device 2650 includes a first masked client key 2667, a second masked client key 2668, a masked secret key 2662, and a masked salt. (2663), any combination of masked IV first part 2664 and masked IN first part 2665 to first server 2625. Can be transmitted. In some embodiments, the first device 2650 may display each of the IV second part 2659 and the IN second part 2661 on the visual display 2669 of the first device 2650. In certain embodiments, the iteration number 2657 may be displayed entirely on the visual display 2669 of the first device 2650.

Referring now to FIG. 27, generating one or more keys may include a first server 2725 receiving information from a first device 2750. In some embodiments, the transmitter/receiver 2741 of the first server 2725 is a masked secret key 2716, a second masked client key 2768, a masked salt 2763, a masked IV first part. Any combination of a first masked client key 2767 may be received from the first device 2750 and the masked first part 2765. In some embodiments, the processing migrator 2722 of the first server 2725 includes a masked secret key 2728, a second masked client key 2768, a masked salt 2763, a masked IV first part ( 2764), the masked first part 2765, and the database 2729 of the first server 2725 may store one or more of the first masked client key 2767 received from the first device 2750 . According to a specific embodiment, the processing migrator 2722 of the first server 2725 may store the first masked client key 2767 in the database 2729 of the first server 2729.

The first server 2725 may be configured to transmit information to the Internet application 2790. In some embodiments, the transmitter/receiver 2741 of the first server 2725 is a masked secret key 2716, a second masked client key 2768, a masked salt 2763, a masked IV first part. An arbitrary combination of the masked IN first part 2765 and the first masked client key 2767 may be transmitted to the first server 2725. In a specific embodiment, the transmitter/receiver 2741 of the first server 2725 is a masked secret key 2716, a second masked client key 2768, a masked salt 2763, a masked IV first part. (2764) and the masked IN first part 2765 may be transmitted to the first server 2725. In another embodiment, the transmitter/receiver 2741 of the first server 2725 includes a masked secret key 2716, a second masked client key 2768, a masked salt 2764, and a masked IV first part. Any combination of 2764 may be transmitted to the Internet application 2790 (collectively from this point on, referred to as "received data 2728").

As shown in Figure 28, the step of generating one or more keys 2800 may include a transmitter/receiver 2841 of an Internet application 2890 receiving data 2828 received from a first server 2825. I can. The first device 2850 may include a user input 2869, which may include an IV second part 2659 and an IN second part 2661 (see FIG. 26), each of which may contain a string. have. The user input 2869 may include an IV first part and a repetition number. In some embodiments, the user input 2869 may be displayed on the graphic display 2869 of the first device 2850. Generating one or more keys may include user input 2869 entered into internet application 2890. The data converter 2844 of the Internet application 2890 converts the received data 2828 into a secret key 2854, IN first part 2860, salt 2855, IV first part 2858 and client key 2866. ) Can be converted to one or more of (2812). Transformation 2812 may include using a hashing algorithm. Further, the conversion 2812 may include using an encryption method. Transformation may involve using a decryption method. In some embodiments, transform 2812 may include any combination of hashing algorithms, encryption methods, or decryption methods. According to some embodiments, the data converter 2844 of the Internet application 2890 uses both the user input 2886 and the received data 2828 to convert the 2812 received data 2828 into the secret key 2854 and IN. One or more of 1 part 2860, salt 2855, IV first part 2858, and client key 2866 can be converted. The processing migrater 2842 may store the client key 2866 in the storage 2891 of the Internet application 2890. The data converter 2845 of the Internet application 2890 may convert the client key 2866 into a third masked client key 2892 (2812). In some embodiments, the third masked client key 2892 may be migrated to the sender/receiver 2841 of the Internet application 2890 by the processing migrater 2842. The transmitter/receiver 2841 of the Internet application 2890 may transmit the third masked client key 2892 to the first server 2815.

The web authentication method may include establishing a web session. As shown in FIG. 29, the transmitter/receiver 2941 of the first server 2925 may receive a third masked client key 2998 from the Internet application 2990. According to some embodiments, the processing migrator 2928 of the first server 2725 may retrieve the stored first masked client key 2929 from the database 2913 of the first server 2725. The processing verifier 2947 may compare the retrieved first masked client key 2918 with the third masked client key 2990 received from the internet application 2990. The processing generator 2946 can generate a result 2930 based on the identities of the first masked client key 2918 and the third masked client key 2998. The transceiver 2941 of the first server 2925 may transmit the result 2930 to the second server 2980. The transmitter/receiver 2941 of the second server 2980 may receive the result 2930 from the first server 2925 and generate a web token 2991. Web token 2931 may be generated by processing generator 2946. In some embodiments, the web token 2931 may be any means known in the art to authorize the establishment of a web session. The second server 2980 may transmit the generated web token 2931 to the first server 2815. The transmitter/receiver 2941 of the first server 2915 may receive the web token 2991 from the second server 2980 and transmit the received web token 2991 to the internet application 2990. The transmitter/receiver 2941 of the Internet application 2990 may receive the web token 2991 from the first server 2825. In some embodiments, the internet application may transmit the received web token to the second server. The second server may receive a web token from a web browser and establish a web session. Also, the second server may be configured to transmit information to the first server. In some embodiments, the second server may transmit information regarding receipt of a web token from an internet application. Information about receiving a web token from an internet application may include any information about the internet application, information about the user of the internet application, information about accessing the web session, space and/or any component of the system described herein. Or, it may include time information, but is not limited thereto. The first server may receive information regarding reception of a web token from the second server. In some embodiments, the first server may be configured to transmit information to the first device including, but not limited to, information regarding the receipt of a web token. Those skilled in the art will understand that other variations of the embodiments described herein may also be practiced without departing from the scope of the invention. Therefore, other modifications are possible.

Claims (20)

In a method of generating, distributing and storing a key to authenticate an identity,
At one or more servers, receiving a registration request from a first peer;
In response to receiving the registration request, transmitting registration data from the one or more servers to the first peer, the registration data including at least a client registration code;
Receiving, at the one or more servers, a registration key and a server key, the registration key and the server key being generated by the first peer;
Generating at least one sender code, at least one receiver code, at least one distribution code, and a peer list in the at least one server-the peer list includes the at least one receiver code and the at least one distribution code Ham -;
Generating at least one distribution key, the at least one distribution key being based on at least one recipient code, the server key and at least one sender code;
Storing the registration key, the at least one distribution key and the peer list in one or more databases associated with one or more servers;
Transmitting, from the one or more servers, the at least one distribution key and the at least one distribution code to at least one second peer;
Receiving, at the one or more servers, the at least one distribution code and storage key from the at least one second peer; And
Storing the at least one distribution code and the storage key received from the at least one second peer in the peer list in the at least one database associated with the at least one server
Including
Way.
The method of claim 1,
The first peer is:
Receiving the registration data from the one or more servers;
Receiving a user input, the user input including two or more selection codes;
Separating the two or more selection codes into at least a selection code of a first group and a selection code of a second group;
Generating a client key from the selection code of the first group;
Generating the server key from the selection code of the second group;
Generating at least a client key first part and a client key second part from the client key;
Generating at least a server key first part and a server key second part from the server key;
Generating the registration key, wherein the registration key is based on the client key, the server key and the client registration code;
Storing the client key and the client registration code in a memory of the first peer; And
Transmitting at least one registration key and the server key to the one or more servers
Including
Way.
The method of claim 1,
The registration data is the client registration code and the selection object group
Containing
Way.
The method of claim 2,
The user input is at least one of biometric data, spatial data, and temporal data.
Containing
Way.
The method of claim 2,
Generating the client key from the selection code of the first group comprises:
Converting individual selection codes including the selection codes of the first group into groups of converted selection codes;
Associating each individual converted selection code including the converted selection code group with one or more character strings including a client-free key; And
Converting the client free key into the client key
Including
Way
The method of claim 2,
Generating the server key from the selection code of the second group comprises:
Converting individual selection codes including the selection codes of the second group into groups of converted selection codes;
Associating each individual converted selection code including the converted selection code group with one or more character strings including a server-free key; And
Converting the server-free key into the server key
Including
Device.
The method of claim 2,
Generating the registration key includes:
Associating at least one of the first part of the client key and the second part of the client key with at least one of the first part of the server key and the second part of the server key to generate one or more strings including a first free key step;
Converting the first free key into a second free key;
Associating the second free key with the client registration code to generate one or more strings including the registration free key; And
Converting the registration free key into the registration key
Including
Way.
The method of claim 1,
Receiving the at least one distribution code and the storage key from the at least one second peer further comprises the at least one second peer,
The at least one second peer is:
Receiving, from one or more servers, at least one distribution code and at least one distribution key;
Generating a storage code and the storage key, the storage key being based on the storage code and at least one distribution key;
Storing the at least one distribution key, the storage key and the at least one distribution code in a memory of the at least one second peer; And
And transmitting the storage key and the at least one distribution code to the one or more servers.
Way.
The method of claim 8,
Generating the storage key comprises:
Associating the at least one distribution key and the storage code with at least one character string including a storage free key; And
Converting the storage free key into the storage key
Including
Way.
The method of claim 1,
Generating the at least one distribution key comprises:
Associating one or more server keys, registration keys, at least one sender code, and at least one recipient code into one or more character strings including at least one distribution-free key; And
Converting the at least one distribution free key into the at least one distribution key
Including
Way.
In the method of authenticating an identity using a key,
The method is:
Receiving, at one or more servers, a login request from a first peer;
Generating a login salt in one or more servers;
Storing the login salt in one or more databases associated with the one or more servers;
Transmitting login data from the at least one server to the first peer, the login data including at least one login salt;
At one or more servers, receiving a login key and a server key from the first peer;
Retrieving, from one or more databases associated with the one or more servers, a stored registration key, the login salt, a recipient code and a distribution code;
Generating, at the one or more servers, a comparison login key, the comparison login key being based on the stored registration key and the login salt;
Comparing, at the one or more servers, the comparison login key and the login key received from the first peer;
Generating, at the one or more servers, a sender code and a verification salt;
Generating, at the one or more servers, at least one distribution key, the at least one distribution key being based on at least a server key received from the first peer, the sender code and the recipient code;
In the one or more servers, generating at least one verification key-the at least one verification key is based on at least one of the server key, the stored registration key, the sender code, the recipient code, and the verification salt- ;
Storing the at least one verification key and the verification salt in a peer list;
Transmitting the at least one verification key, the verification salt and the distribution code from the one or more servers to at least one second peer;
Receiving, at the one or more servers, the distribution code and confirmation key from the at least one second peer;
Comparing the distribution code received from the at least one second peer with distribution codes stored in the one or more databases associated with the one or more servers;
Retrieving the stored distribution key and the verification salt from the one or more databases associated with the one or more servers;
Generating a second verification key based on the stored distribution key and the verification salt;
Comparing the verification key received from the at least one second peer with the second verification key; And
Steps to generate authentication results
Including
Way.
The method of claim 11,
The first peer is:
Receiving the login data from the one or more servers;
Receiving a user input, the user input including two or more selection codes;
Separating the two or more selection codes into a selection code of a first group and a selection code of a second group;
Generating a client key from the selection code of the first group;
Generating the server key from the selection code of the second group;
Generating at least a client key first part and a client key second part from the client key;
Generating at least a server key first part and a server key second part from the server key;
Retrieving a stored client registration code from the memory of the first peer;
Generating a registration key, the registration key being based on the client key, the server key and the client registration code;
Generating the login key based on the registration key;
Storing the client key in a memory of the first peer; And
Transmitting at least the login key and the server key to the one or more servers
Including
Way.
The method of claim 11,
The login data is the login salt and selected object group
Containing
Way.
The method of claim 12,
The user input includes at least one of biometric data, spatial data, and temporal data.
Way.
The method according to any one of claims 1 to 14,
The at least one second peer is:
Receiving the distribution code, the at least one verification key, and the verification salt from the one or more servers;
Comparing the distribution codes received from the one or more servers with distribution codes stored in the memory of the at least one second peer;
Retrieving a stored distribution key from the memory of the at least one second peer;
Generating the verification key, the verification key generating the verification key based on the stored distribution key and the verification salt; And
Transmitting the distribution code and the confirmation key to the one or more servers
Including
Way.
In the method of generating a web token,
The method is:
Receiving, at a first one or more servers, a login request and a first public key;
In response to the login request, transmitting, from the first one or more servers to an internet application, a readable indication, the readable indication being based on a random key and the first public key, the internet application being:
Receive the readable indication from the first one or more servers;
Display a readable indication such that the readable indication is readable by a first device, the first device:
At the first device, generate a client key;
Converting the client key into a first masked client key and the second masked client key; And
Configured to transmit the first masked client key and the second masked client key to the first one or more servers;
Receiving the first masked client key and the second masked client key from the first device;
Storing at least one of the first masked client key and the second masked client key in one or more databases associated with the first one or more servers;
Transmitting the second masked client key to an internet application-the internet application:
Receive, from the first one or more servers, the second masked client key;
Converting the second masked client key into the client key;
Convert the client key to a third masked client key; And
Configured to transmit the third masked client key from the internet application to the first one or more servers;
Receiving the third masked client key from the internet application;
Retrieving at least one of the first masked client key and the second masked client key stored in the one or more databases associated with the first one or more servers;
Comparing the third masked client key with at least one of the first masked client key and the second masked client key;
Generating a result, at the first one or more servers; And
Transmitting results from the first one or more servers to one or more second servers, wherein the one or more second servers:
Receive results from the first one or more servers;
In the at least one second server, configured to generate a web token;
Including
Way.
The method of claim 16,
The first device:
In the first apparatus, generating an initial vector execution, the initial vector (IV) comprising an IV first part and an IV second part;
In the first device, generating a repetition number;
Creating a masked IV first part from the IV first part;
Displaying the IV second part and the repetition number on a visual display of the first device in a manner that can be observed by a user; And
Transmitting the masked IV first part from the first device to the first one or more servers
Further composed of
Way.
The method of claim 17,
The internet application is:
Receiving the web token from the first one or more servers;
Transmitting the web token from the internet application to the at least one second server, the at least one second server:
Receive a web token from the internet application; And
Configured to start a web session -;
Further composed of
Way.
In a system comprising one or more servers,
The one or more servers are:
At least one memory containing server instructions; And
At least one processing device configured to execute the server command
Including,
The server command causes the at least one processing device to:
At the one or more servers, receiving a registration request from a first peer;
In response to receiving the registration request, transmitting registration data from the one or more servers to the first peer, the registration data including at least a client registration code;
Receiving, at the one or more servers, a registration key and a server key, the registration key and server key being generated by the first peer;
In the one or more servers, generating at least one sender code, at least one receiver code, at least one distribution code, and a peer list-The peer list includes the at least one receiver code and the at least one distribution code Ham -;
Generating at least one distribution key, wherein the at least one distribution key is based on the at least one recipient code, the server key and the at least one sender code;
Storing the registration key, the at least one distribution key, and a peer list in one or more databases associated with the one or more servers;
Transmitting, from the one or more servers, the at least one distribution key and the at least one distribution code to at least one second peer;
Receiving, at the one or more servers, the at least one distribution code and storage key from the at least one second peer; And
Storing, in the peer list of the one or more databases associated with the one or more servers, the at least one distribution code and a storage key received from the at least one second peer
To perform the actions of
Device.
The method of claim 19,
The server command also causes at least one processing device to:
Receiving, at the one or more servers, a login request from the first peer;
Generating a login salt in the at least one server;
Storing the login salt in the one or more databases associated with the one or more servers;
Transmitting login data from the at least one server to the first peer, the login data including at least one login salt;
At one or more servers, receiving a login key and the server key from the first peer;
Retrieving, from one or more databases associated with the one or more servers, a stored registration key, the login salt, the recipient code and the distribution code;
Generating, at the one or more servers, a comparison login key, the comparison login key being based on the stored registration key and the login salt;
Comparing, at the one or more servers, the comparison login key and the login key received from the first peer;
Generating, at the one or more servers, a sender code and a verification salt;
Generating, at the one or more servers, at least one distribution key, the at least one distribution key being based on at least a server key received from the first peer, the sender code and the recipient code;
Generating, at the one or more servers, at least one verification key, wherein the at least one verification key is based on the server key, the sender code, the recipient code and the verification salt;
Storing the at least one verification key and the verification salt in the peer list of the one or more servers;
Transmitting the at least one verification key, the verification salt and the distribution code from the one or more servers to at least one second peer;
Receiving, at the one or more servers, the distribution code and confirmation key from the at least one second peer;
Comparing the distribution code received from the at least one second peer with distribution codes stored in the one or more databases associated with the one or more servers;
Retrieving the stored distribution key and the verification salt from the one or more databases associated with the one or more servers;
Generating a second verification key based on the stored distribution key and the verification salt;
Comparing the verification key received from the at least one second peer with the second verification key; And
Steps to generate authentication results
To perform the actions of
Device.

Images